Bad gateway in Chrome and Edge when redirect http to https

Help!
1

Hi!

I made a simple configuration to redirect any incoming http traffic to https using some certs using this simple configuration.

global
    log         127.0.0.1 local1

defaults
    log     global
    mode    http
    option  httplog

frontend http_https
    bind 172.17.0.2:80
    bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/
    http-request redirect scheme https unless { ssl_fc }

    default_backend drive_server

backend drive_server    
    server synodrive01 192.168.6.97:10002

While this works using the URL drive.mydomain.de I get a proper redirection using the latest Firefox in Windows 10 Pro, this does not work using Edge or Chrome.

Both browsers return a 502 Bad Gateway, no matter if I use https://drive.mydomain.de or http://drive.mydomain.de

While opening the URL in Edge or Chrome, I don’t even get any log output in /var/log/haproxy, at least not at the time of pressing enter to open the web page.

When the 502 raises, the following lines where logged.

May 17 20:49:55 localhost haproxy[25280]: 166.66.111.239:47938 [17/May/2021:20:49:45.671] http_https~ drive_server/synodrive01 0/0/4/-1/10011 502 214 - - SH-- 2/2/0/0/0 0/0 "GET / HTTP/1.1" 
May 17 20:50:25 localhost haproxy[25280]: 166.66.111.239:48132 [17/May/2021:20:50:15.912] http_https~ drive_server/synod rive01 0/0/1/-1/10011 502 214 - - SH-- 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

Strange enough, when choosing mode tcp in config, all runs well, however, without http to https redirection of course. The log gives me this output:

May 17 20:58:45 localhost haproxy[26525]: 166.66.111.239:44458 [17/May/2021:20:58:32.764] http_https drive_server/synodrive01 1/1/12794 26494 -- 10/10/9/9/0 0/0

So whats the deal with Edge and Chrome? I understand that probably both browsers are using the same engine underneath and Firefox works because of its own engine.

But this does not fully explain why Chrome/Edge result in a 502 error.

Any hints are highly appreciated since I’m already pulling my hairs out for quite a while now :wink:

Thanks,
Michael

2

What does the synodrive01 server expect on port 10002? HTTPS or HTTP? If it expects HTTPS, then this configuration is wrong, because you are terminating SSL on the frontend and sending plaintext traffic to your backend server.

What does “when choosing mode tcp” entail?

Disabling ssl termination (ssl keyword and certificate configuration) or was haproxy always terminating SSL?

When you say “all runs well”, are you accessing haproxy with a http or https URI or both?

You need to know whether backend server expects HTTP or HTTPS on port 10002, and configure haproxy appropriately.

Assuming that the backend expects HTTPS and you reconfigured haproxy by enabling SSL termination I suggest a different approach.

Leave haproxy in tcp mode generally, and create a dedicated frontend in http mode for the redirection as opposed to reconfigure it all:

global
    log         127.0.0.1 local1

defaults
    log     global
    mode    tcp
    option  tcplog

frontend https
    bind 172.17.0.2:443
    default_backend drive_server

backend drive_server    
    server synodrive01 192.168.6.97:10002


# the following sections are in http mode
defaults
    log     global
    mode    http
    option  httplog

frontend http
    bind 172.17.0.2:80
    http-request redirect scheme https

You don’t know what heuristic browsers implement to workaround broken server configurations. Use curl -vv to get independent confirmation.

3

Hi @lukastribus! Thanks for your reply!

What does “when choosing mode tcp” entail?
Disabling ssl termination (ssl keyword and certificate configuration) or was haproxy always terminating SSL?

This means, in my case, instead of using mode http I just switched to mode tcp and commented all unnecessary lines that are not applicable.

global
	log         127.0.0.1 local1

defaults
    log     global
    mode    tcp
    option  httplog
		
frontend http_https
    bind 172.17.0.2:80
    #bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/
	#http-request redirect scheme https unless { ssl_fc }
	
    default_backend drive_server

backend drive_server	
    server synodrive01 192.168.6.97:10002

When you say “all runs well”, are you accessing haproxy with a http or https URI or both?

I just typed in drive.mydomain.de into Edge (Win10 all updates installed) and that’s it. Edge tells me in the address line that the connection is unsecure but it finally works. Using the above config with mode tcp.

You need to know whether backend server expects HTTP or HTTPS on port 10002, and configure haproxy appropriately.

I’m pretty sure that the backend server (running on a Synology NAS) does not need https. At least I did not configure https for that app behind port 10002. The backend server is not directly connected to the internet hence HAProxy should do the job and the SSL termination. At least this was my intention.

I’ve changed my config according to your posted config above. However, this did not really improve my experience. Either I misunderstood this config or sthg is missing, e.g. to load any certs. So my final, slightly adapted config, is

global
    log         127.0.0.1 local1

defaults
    log     global
    mode    tcp
    option  tcplog

frontend https
    bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/
    default_backend drive_server

# the following sections are in http mode
defaults
    log     global
    mode    http
    option  httplog

frontend http
    bind 172.17.0.2:80
    http-request redirect scheme https
    default_backend drive_server

backend drive_server    
    server synodrive01 192.168.6.97:10002

But this did not work either. When using Edge and URI https://drive.mydomain.de, error 502 Bad Gateway still pops up, when using Firefox, alls is well iwth the very same URI.

Maybe I did not fully understand your config, but when using it w/o any modification, it does not work at all.

I’ve used curl -vv drive.mydomain.de w/o any protocol.

curl -vv drive.mydomain.de

  • Trying 166.66.111.239:80…
  • Connected to drive.mydomain.de (166.66.111.239) port 80 (#0)

GET / HTTP/1.1
Host: drive.mydomain.de
User-Agent: curl/7.73.0
Accept: /

I see a redirection, that curl is not following without specifying additional parameters, of course.

So I tried the curl with -L parameter. This is the result, shortend of course.

curl -vv drive.mydomain.de -L
*   Trying 166.66.111.239:80...
* Connected to drive.mydomain.de (166.66.111.239) port 80 (#0)
> GET / HTTP/1.1
> Host: drive.mydomain.de
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< content-length: 0
< location: https://drive.mydomain.de/
< cache-control: no-cache
<
* Connection #0 to host drive.mydomain.de left intact
* Issue another request to this URL: 'https://drive.mydomain.de/'
*   Trying 166.66.111.239:443...
* Connected to drive.mydomain.de (166.66.111.239) port 443 (#1)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=drive.mydomain.de
*  start date: May 16 15:36:26 2021 GMT
*  expire date: Aug 14 15:36:26 2021 GMT
*  subjectAltName: host "drive.mydomain.de" matched cert's "drive.mydomain.de"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: drive.mydomain.de
> User-Agent: curl/7.73.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< server: nginx
< date: Thu, 20 May 2021 18:27:56 GMT
< content-type: text/html; charset="UTF-8"
< transfer-encoding: chunked
< keep-alive: timeout=20
< vary: Accept-Encoding
< cache-control: no-store
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-frame-options: SAMEORIGIN
< p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
< content-security-policy: base-uri 'self';  connect-src ws: wss: *; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com https://www.synology.cn/; font-src 'self' data: https://*.googleapis.com https://*.gstatic.com; form-action 'self'; frame-ancestors 'self' https://gofile.me http://gofile.me; frame-src 'self' data: blob: https://*.synology.com https://www.synology.cn/ http://*.synology.com http://*.synology.cn; img-src 'self' data: blob: https://*.google.com https://*.googleapis.com http://*.googlecode.com https://*.gstatic.com; media-src 'self' data: about:;  script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com https://www.synology.cn/ https://*.google.com https://*.googleapis.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com;
< set-cookie: id=;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
<
<!DOCTYPE html>
<html>

It looks like the command finished successfully. But this is the result of a shell command running on the same host where HAproxy is running. The results in a browser on a Win client machine inside the LAN is obviously different.

Michael

4

Post the output the following curl commands please:

curl -vv http://192.168.6.97:10002/
curl -vv https://192.168.6.97:10002/

Meaning you disable everything HTTPS related, and forward port 80 to 192.168.6.97:10002.

So, why don’t you make one change at the time, then troubleshooting will be way easier.

Only enable port 443 on haproxy, without turning on mode http or http redirect. Test in all browser both http and https.

If you see any issues, closen and reopen the browser, hit F12 for the developer tools and go the the network tab to capture all requests, and then reproduce the issue. Check what the developer tools are saying.

Also look for any errors in the console of the developer tools, also for Firefox, which works (because the working browser may hint something related to a deployed workaround).

If this all works, change mode tcp to mode http, and again test everything.

The point is, make one change at the time. If you make 3 - 4 changes at once, you won’t be able to easily pinpoint the offending change.

5

Hi and thanks for your ongoing support. In the meantime I was not lazy. Believe me I now tried everthing to get my backend server online (in Edge and Chrome).

Let me add some details which may be important. I’m running HAproxy on my Linux firewall IPFire. Port 80 and 443 are open, the firewall has the IP-address 172.17.0.2, hence those binding to port 80 and 443 to this address in my config.

The backend server in question cannot be accessed from internet so HAProxy shoild be the solution to redirect the subdomain drive.mydomain.de to the backend, which has got the IP-address 192.168.6.97 and port 10002 (port 80 is reserved hence this custom port). The webserver serving port 10002 is nginx and is not configured for https nor does it have any certification attached. This should be the part of HAproxy.

Here ist the output of (shortend)

curl -vv http://192.168.6.97:10002/

*   Trying 192.168.6.97:10002...
* Connected to 192.168.6.97 (192.168.6.97) port 10002 (#0)
> GET / HTTP/1.1
> Host: 192.168.6.97:10002
> User-Agent: curl/7.73.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sat, 22 May 2021 12:32:20 GMT
< Content-Type: text/html; charset="UTF-8"
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=20
< Vary: Accept-Encoding
< Cache-control: no-store
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
< Content-Security-Policy: base-uri 'self';  connect-src ws: wss: *; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com https://www.synology.cn/; font-src 'self' data: https://*.googleapis.com https://*.gstatic.com; form-action 'self'; frame-ancestors 'self' https://gofile.me http://gofile.me; frame-src 'self' data: blob: https://*.synology.com https://www.synology.cn/ http://*.synology.com http://*.synology.cn; img-src 'self' data: blob: https://*.google.com https://*.googleapis.com http://*.googlecode.com https://*.gstatic.com; media-src 'self' data: about:;  script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com https://www.synology.cn/ https://*.google.com https://*.googleapis.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com;
< Set-Cookie: id=;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
<
<!DOCTYPE html>
<html>
<head>

Here ist the output of (shortend)

curl -vv https://192.168.6.97:10002/

*   Trying 192.168.6.97:10002...
* Connected to 192.168.6.97 (192.168.6.97) port 10002 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Above error obviously occurs because of the server not being configured for any https request.

I continued and followed your advice and started over, using a smart and simple basic config with a port 80 binding.

global
	log         127.0.0.1 local1

defaults
    log     global
    option  httplog
		
frontend http_https
    bind 172.17.0.2:80
    default_backend server

backend server	
    server synodrive01 192.168.6.97:10002

Using Firefox to access http://drive.mydomain.de works although the browser compains about an insecure connection.
Using Edge still using http, this, too works with the same security warning.

So basically a connection is possible, IMO. OTH both browsers cannot access the backend when using https protocol, this was expected, though.

Next step, I chenged config and added a binding for port 443, w/o any certifications.

global
	log         127.0.0.1 local1

defaults
    log     global
    option  httplog

frontend http_https
    bind 172.17.0.2:443 
    default_backend server

backend server	
    server synodrive01 192.168.6.97:10002

Neither Firefox nor Edge is able to reach the server using http protocol - this is OK!
Using https access, Firefox errors out, giving me the message SSL_ERROR_RX_RECORD_TOO_LONG.
Edge browser answered slightly different: ERR_SSL_PROTOCOL_ERROR

Guess both errors are due to not using any cert for SSL right now. Hence I’m changed the config file, adding a directory where the Let’s Encrypt certifications are saved.

bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/

Using Firefox https://drive.mydomain.de works like a charm, no issues.
Using Edge to access the URL, it gave me the error ERR_EMPTY_RESPONSE and neither the console nor any other debug message in Edge’s dev environment did show any hint about this error.

At the time of this error I retried curl in a shell of my firewall and still got the same correct answer and html source like above.
curl -vv https://drive.mydomain.de

FWIW, I always restarted each browser (in private mode) before retrying again and again.

I continued and added mode http to the default section.
Now, Edge answered with a

502 Bad Gateway

while Firefox continued to work properly.

At this time I’m stuck with ideas to continue testing. No chance to get this running and to add, I’m running some more backend on different OS, e.g. Raspberry PI and Synology NAS using Docker containers and even native apps on Synology.

No matter which one I’m trying to access in Edge, any backend reacts similar to the experiences I made above, Chrome follows exactly (because of the same enging underneath?) while Firefox works flawlessly.

So do you still have the time and patience to read and answer? I’m certainly not that network expert nor HAproxy at all, however, this now basic setup should be simple enough to reach any of those backend servers via HAProxy, shouldn’t it.

My subdomains like drive.mydomain.de are configured to use CNAMEs, btw, if this matters.

Thank you very much for reading again and again,
Michael

6

Pretty sure there is no configuration mistake here then.

I assume this is gonna require some lower level troubleshooting. Can you open port 443 on the Internet and send me the link via private message?

7

Thanks Lukas for this offer, highly appreciated!

Which Haproxy config should I use while you are gonna accessing the server?

With opening port 443, do I have to take some more action besides telling you the genuine URL with correct domain name that I’m trying to access myself?

Michael

8

Yes, open Port 443 with SSL, so it works in Firefox but not in Chrome/Edge and I will see what I can find out.

Also could you share the output of haproxy -vv?

9

OK, so current config is, which works perfectly well for Firefox and https but not for Edge.

global
	log         127.0.0.1 local1

defaults
    log     global
    option  httplog
		
frontend http_https
    bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/
    default_backend server

backend server	
    server synodrive01 192.168.6.97:10002

Output of haproxy -vv is

HA-Proxy version 2.2.4-de45672 2020/09/30 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.4.html
Running on: Linux 4.14.212-ipfire #1 SMP Fri Dec 18 09:53:24 GMT 2020 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1h  22 Sep 2020
Running on OpenSSL version : OpenSSL 1.1.1i  8 Dec 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.44 2020-02-12
Running on PCRE version : 8.44 2020-02-12
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 10.2.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
            fcgi : mode=HTTP       side=BE        mux=FCGI
       <default> : mode=HTTP       side=FE|BE     mux=H1
              h2 : mode=HTTP       side=FE|BE     mux=H2
       <default> : mode=TCP        side=FE|BE     mux=PASS

Available services : none

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace
        [CACHE] cache
        [FCGI] fcgi-app

I just sent you a PM with the URL I’m trying to access.

Btw, I tried to access the URL using my Android cell phone and tested with Firefox Android, latest version as well as Chrome - the result was identical, like any access before, from within my LAN.

Thank you again, for looking into this issue!
Michael

10

I can see that Chrome and Edge fails. The TLS connection is established correctly, but then after transmitting a HTTP request, the connection just closes.

I looked into the decrypted TLS session, but there is nothing specific there (connection just get’s closed).

At this point, I think it’s likely that something is wrong with the build/packages. I strongly suggest you install all ipfire updates, OS, libraries and packages, so that you see this:

[root@ipfire ~]# pakfire update
[root@ipfire ~]# pakfire upgrade
CORE ERROR: No new upgrades available. You are on release 156.
[root@ipfire ~]# haproxy -vv | grep "OpenSSL version"
Built with OpenSSL version : OpenSSL 1.1.1k  25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k  25 Mar 2021
[root@ipfire ~]# openssl version
OpenSSL 1.1.1k  25 Mar 2021
[root@ipfire ~]# ls -l /usr/sbin/haproxy
-rwxr-xr-x 1 root root 2468056 May  4 13:09 /usr/sbin/haproxy
[root@ipfire ~]# sha256sum /usr/sbin/haproxy
3eae1f6958e851ca0ce4d1546f39c1e8a66e5657314493d69cff7c0d855cdfd5  /usr/sbin/haproxy
[root@ipfire ~]#

If this doesn’t change anything, try downgrading to TLSv1.2 by specifying ssl-max-ver TLSv1.2 on the bind line, just to narrow it down.

11

Hi!

Thank you very much for your answer, help and time to investigate!

I will give this a try tomorrow and report back. Do you run IPFire yourself, just curious?

Michael

12

Sadly, this did not work either.

Using the old Internet Explorer in Windows 10 20H2, that is still running here, I can access https://drive.mydomain.de! This applies to my old config file as well as to the basic config above.

So there is anything special in Chromium with Edge and Chrome itself that is preventing the URL from accessing.

May be I will do some more tests and/or find some hints in www later on.

A BIG thanks to Lukas!

13

Did you upgrade IPFire and see the same outputs like I posted above (Built and Running on OpenSSL version 1.1.1k)?

14

Oops, sorry forgot to mention. Yes, I’ve upgraded and I’m now on core 156, all packets up to date, including Haproxy and openssl.
All versions as you posted above.

I even used a VPN connection to login to our office and tried Edge and Chrome on Win10 there, mainly to avoid any LAN issue on my side, but saw the save behavior on remote, too…

15

I think this may not be related to SSL after all. Can you capture the HTTP traffic on the backend, if any? I’d like to know if we can see something interesting between haproxy and the backend server.

tcpdump -pnvvs0 -w dump.cap host 192.168.6.97 and tcp port 10002

Ideally containing a request from the working Firefox and failing Chrome request.

16

Hi Lukas! Thanks for your reply. You’ve got a PM!

Btw, I’m back to my original config and dropped the basic one from above, since no progress was made so far. Nevertheless, Firefox still works while Edge and Chrome fails.

Michael

17

In fact, it’s not about SSL at all. The backend simply closes the connection with a RST after it get’s the request from haproxyx, which looks valid to me. Not sure why the backend server does this, but I can reproduce it now with curl:

Failure reproducer (replace hostname):

curl https://drive.example.org/ \
-H 'cache-control: max-age=0' \
-H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'upgrade-insecure-requests: 1' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66' \
-H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'sec-fetch-site: none' \
-H 'sec-fetch-mode: navigate' \
-H 'sec-fetch-user: ?1' \
-H 'sec-fetch-dest: document' \
-H 'accept-language: de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6'

Works fine when removing the sec-ch-ua header:

curl https://drive.example.org/ \
-H 'cache-control: max-age=0' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'upgrade-insecure-requests: 1' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66' \
-H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'sec-fetch-site: none' \
-H 'sec-fetch-mode: navigate' \
-H 'sec-fetch-user: ?1' \
-H 'sec-fetch-dest: document' \
-H 'accept-language: de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6'

I suggest you try clearing the header:

http-request del-header sec-ch-ua

It’s unclear to me why Edge/Chrome works versus the backend directly, maybe check out if you see this sec-ch-ua header looks exactly like this in the F12 developer console also? And if the it is exactly the same when going via HTTP to the backend directly, without haproxy involved. Also you could try this curl request against the backend directly.

18

It’s because Chrome only emits this header when using HTTPS. It doesn’t emit the header when using HTTP.

Still doesn’t explain the backends behavior.

19

:boom: WOW - YOU ARE GENIUS! :boom:
That’s the solution! Now, all subdomains, work perfectly in Edge/Chrome!

The domain http[s]://drive.mydomain.de is running the package Drive Server on a Synology NAS with nginx as web server.

Other domains, however, do run different web servers in a docker container, maybe nginx as well, but I don’t know exactly.

So, if you assume that at least nginx on Synology has got an issue, I cannot do anything against it, unless changing any config files via console which might get overwritten when updating the NAS software.

This may apply too for the docker containers. OTH, with the given HAProxy option above, this might work now and perhaps later on, too. So, who cares right now. :laughing:

Or do you believe when omitting the header data, will this be a security problem?

Thanks,
Michael

20

Maybe for Chrome/Chromium this applies: user agent - Why does Chrome use sec-ch-ua: "\"Not\\A;Brand";v="99"? - Stack Overflow