Hi,
we have a haproxy instance handling multiple domains and getting the requests to the correct servers.
We have a nginx server, which runs fine without haproxy and mostly runs fine with haproxy. But one single page returns an 502 error:
Sep 18 15:00:28 dktig-proxy haproxy[2367]: <IP>:41656 [18/Sep/2018:15:00:28.473] ft_https~ bk_dkv/dkv 4/0/0/-1/6 502 16189 - - PH-- 1/1/0/0/0 0/0 "GET /de/suche/comparison/compare.html HTTP/1.1"
nginx has not much to say about this:
172.16.3.252 - - [18/Sep/2018:15:00:33 +0200] "GET /de/suche/comparison/compare.html HTTP/1.1" 499 0 "https://<domain>/de/suche/search/memo/show/1/asc/name.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
I already tried setting “accept-invalid-http-response”, but no change.
Here are now coming (relevant parts of) the config and the “show errors” output.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Descrease the size of the rewrite buffer so that
# there is more room to handle large (>8K) headers. See the HAProxy
# manual around tune.bufsize and tune.maxrewrite.
tune.maxrewrite 4096
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/haproxy/cert
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 60s
timeout client 300s
timeout server 300s
timeout http-request 120s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ft_http
bind :80
mode http
option httplog
redirect scheme https code 301 if !{ ssl_fc }
frontend ft_https
bind :443 ssl crt <alot of certs here> strict-sni
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
mode http
reqadd X-Forwarded-Proto:\ https
option httplog
acl is_gitlab hdr(host) -i <DOMAIN>
acl is_europ hdr(host) -i <DOMAIN>
acl is_ip hdr(host) -i <IP>
use_backend bk_gitlab if is_gitlab
use_backend bk_europ if is_europ
tcp-request connection reject if is_ip
default_backend bk_dkv
backend bk_europ
mode http
balance roundrobin
server gitlab 172.16.3.50:80
backend bk_gitlab
mode http
balance roundrobin
server gitlab 172.16.3.50:80
backend bk_dkv
mode http
balance roundrobin
option accept-invalid-http-response
server dkv 172.16.3.45:443 ssl verify none
Total events captured on [18/Sep/2018:14:58:38.821] : 2
[18/Sep/2018:14:58:36.027] backend bk_dkv (#7): invalid response
frontend ft_https (#3), server dkv (#1), event #1
src <IP>:41546, session #83, session flags 0x002004ce
HTTP msg state 26, msg flags 0x00000000, tx flags 0xa8000000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x80048002, out 0 bytes, total 15984 bytes
pending 4088 bytes, wrapping at 16392, error at position 0:
00000 n_menu_toolbar.css":1,"modules\\/shortcut\\/shortcut.css":1,"sites\\/a
00067+ ll\\/modules\\/ctools\\/css\\/ctools.css":1,"sites\\/all\\/libraries\\
00130+ /fancybox\\/source\\/jquery.fancybox.css":1,"sites\\/all\\/modules\\/p
00195+ anels\\/css\\/panels.css":1,"sites\\/all\\/modules\\/devel\\/devel_kru
00259+ mo.css":1,"0":1,"public:\\/\\/pr_suche_sitesallmodulesproxyreset.css":
00327+ 1,"public:\\/\\/pr_suche_sitesallmodulesproxydefault.css":1,"sites\\/a
00394+ ll\\/themes\\/dkg\\/bootstrap\\/dist\\/css\\/bootstrap.min.css":1,"sit
00458+ es\\/all\\/themes\\/dkg\\/bootstrap\\/dist\\/css\\/bootstrap-theme.min
00521+ .css":1,"sites\\/all\\/themes\\/promato\\/smartmenus\\/addons\\/bootst
00585+ rap\\/jquery.smartmenus.bootstrap.css":1,"sites\\/all\\/themes\\/proma
00651+ to\\/css\\/nf-main.css":1,"sites\\/all\\/themes\\/promato\\/css\\/nf-w
00714+ ebform.css":1,"sites\\/all\\/themes\\/promato\\/css\\/nf-news.css":1,"
00779+ sites\\/all\\/themes\\/promato\\/css\\/nf-icons.css":1,"sites\\/all\\/
00842+ themes\\/promato\\/css\\/nf-gallery.css":1,"sites\\/all\\/themes\\/pro
00906+ mato\\/font-awesome\\/css\\/font-awesome.min.css":1,"sites\\/all\\/the
00971+ mes\\/dkv\\/css\\/disable-responsive.css":1,"sites\\/all\\/themes\\/dk
01035+ v\\/css\\/dkv.css":1,"sites\\/all\\/themes\\/dkg\\/css\\/override.css"
01098+ :1}},"fancybox":[],"overlay":{"paths":{"admin":"node\\/*\\/webform\\nn
01165+ ode\\/*\\/webform\\/*\\nnode\\/*\\/webform-results\\nnode\\/*\\/webfor
01226+ m-results\\/*\\nnode\\/*\\/submission\\/*\\nnode\\/*\\/edit\\nnode\\/*
01286+ \\/delete\\nnode\\/*\\/revisions\\nnode\\/*\\/revisions\\/*\\/revert\\
01346+ nnode\\/*\\/revisions\\/*\\/delete\\nnode\\/add\\nnode\\/add\\/*\\nove
01406+ rlay\\/dismiss-message\\nuser\\/*\\/shortcuts\\nadmin\\nadmin\\/*\\nba
01468+ tch\\ntaxonomy\\/term\\/*\\/edit\\nnode\\/*\\/translate\\nuser\\/*\\/c
01528+ ancel\\nuser\\/*\\/edit\\nuser\\/*\\/edit\\/*\\ntaxonomy\\/*\\/transla
01588+ te\\ntaxonomy\\/*\\/translate\\/*\\ndevel\\/*\\nnode\\/*\\/devel\\nnod
01648+ e\\/*\\/devel\\/*\\ncomment\\/*\\/devel\\ncomment\\/*\\/devel\\/*\\nus
01707+ er\\/*\\/devel\\nuser\\/*\\/devel\\/*\\ntaxonomy\\/term\\/*\\/devel\\n
01766+ taxonomy\\/term\\/*\\/devel\\/*\\nnode\\/*\\/revisions\\/view\\/*\\/*"
01826+ ,"non_admin":"admin\\/structure\\/block\\/demo\\/*\\nadmin\\/reports\\
01889+ /status\\/php"},"pathPrefixes":["de","en"],"ajaxCallback":"overlay-aja
01958+ x"},"tableHeaderOffset":"Drupal.admin.height","admin_menu":{"destinati
02028+ on":"destination=suche\\/search\\/memo.html","hash":"b2f84c002aa2c65b2
02096+ 56f81e58c48466e","basePath":"\\/de\\/admin_menu","margin_top":1,"posit
02164+ ion_fixed":1,"toolbar":[]},"bootstrap":{"anchorsFix":"1","anchorsSmoot
02234+ hScrolling":"1","formHasError":1,"popoverEnabled":"1","popoverOptions"
02304+ :{"animation":1,"html":0,"placement":"right","selector":"","trigger":"
02374+ click","triggerAutoclose":1,"title":"","content":"","delay":0,"contain
02444+ er":"body"},"tooltipEnabled":"1","tooltipOptions":{"animation":1,"html
02514+ ":0,"placement":"auto left","selector":"","trigger":"hover focus","del
02584+ ay":0,"container":"body"}}});</script>\n
02623 </head>\n
02631 <body class="html not-front logged-in no-sidebars page-suche page-such
02701+ e-search page-suche-search-memohtml i18n-de" >\n
02748 <div id="skip-link">\n
02771 <a href="#main-content" class="element-invisible element-focusable
02841+ ">Skip to main content</a>\n
02868 </div>\n
02877 <div class="region region-page-top">\n
02918 <div id="overlay-disable-message" class="clearfix"><h3 class="elem
02988+ ent-invisible">Options for the administrative overlay</h3><a href="/de
03058+ /user/1/edit?destination=suche/search/memo.html#edit-overlay-control"
03128+ id="overlay-profile-link" class="overlay-exclude element-invisible">If
03198+ you have problems accessing administrative pages on this site, disabl
03268+ e the overlay on your profile page.</a> <a href="/de/overlay/dismiss-m
03338+ essage?destination=suche/search/memo.html&token=jfmKm3UoGUx7x-ruMN
03408+ JGetOoc5_T3hq7BnZhCERKsPw" id="overlay-dismiss-message" class="overlay
03478+ -exclude element-invisible">Dismiss this message.</a></div> </div>\n
03546 <div class="container header-image">\n
03585 \t <!--<a class="logo navbar-btn pull-left" href="/de" title="Hom
03654+ e">\n
03658 <img src="https://<DOMAIN>/sites/all/themes/dkg/logo.png
03728+ " alt="Home" />\n
03744 </a>-->\n
03758 <div class="site_name"><h1 style="color:#11574c;">DEUTSCHE
03828+ S KRANKENHAUSVERZEICHNIS</h1></div>\n
03864 <!--<div class="site_slogan"><span style="font-size:85%;">Servic
03934+ e of the hospitals in berlin and the berlin hospital association in co
04004+ nnection with the german hospital directory</span></div>-->\n
04064 <div class="langua
HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Does someone sees anything odd? What can I try to resolve this problem? Any help is much appreciated.