@lukastribus thank you so much for your time and support, and I am sorry for any newbie misunderstanding.
I am sending you the data as requested, this is from my staging env which allows me to play around prior to applying to the production. They mirror each other.
Our CDN is Section.io, founded here in Australia and moved to US.
I will contact them to explain what the header actually looks like.
CentOS 7: haproxy -vv
HA-Proxy version 1.8.14-52e4d43 2018/09/20
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
haproxy.cfg
global
log 127.0.0.1 local2
log-send-hostname
pidfile /var/run/haproxy.pid
chroot /var/lib/haproxy
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /etc/haproxy/haproxy.sock mode 660 level admin
stats socket 127.0.0.1:13888 level admin
stats timeout 15s
ssl-default-bind-ciphers HIGH:!RC4:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4000
frontend HTTPS
maxconn 1000
bind 0.0.0.0:443 ssl crt SELF_SIGNED_CERITIFICATE.PEM no-sslv3
option httplog
mode http
option http-server-close
option forwardfor except 127.0.0.0/8
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
capture request header X-Forwarded-For len 200
capture request header Host len 100
capture request header Referrer len 64
capture request header Content-Length len 10
capture request header User-Agent len 256
capture cookie JSESSIONID len 43
log-format %ci:%cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ "%r"\ %hr\ %sslv
acl url_images path_beg -i XXXXXX
acl url_content path_beg -i XXXXXX
default_backend HTTPS
use_backend images if url_images
use_backend content if url_content
backend images
mode http
option httpchk
server XXXXXX XXXXXX weight 10 check port 80
backend content
mode http
option httpchk
server XXXXXX XXXXXX weight 10 check port 80
backend HTTPS
mode http
option httpchk
balance roundrobin
stick-table type string len 52 size 1m expire 30m # no peers
stick on urlp(jsessionid)
stick on urlp(jsessionid,;)
stick on cookie(JSESSIONID)
stick store-response cookie(JSESSIONID)
server XXXXXX XXXXXX:443 weight 10 check port 80 inter 1s fall 1 rise 3 ssl verify none
server XXXXXX XXXXXX:443 weight 10 check port 80 inter 1s fall 1 rise 3 ssl verify none
server XXXXXX XXXXXX:443 weight 10 check port 80 inter 1s fall 1 rise 3 ssl verify none
userlist STATSUSERS
group admin users XXXXXX
user XXXXXX insecure-password XXXXXX
user XXXXXX insecure-password XXXXXX
listen admin_page
bind *:8161
mode http
stats enable
stats refresh 10s
stats uri /monitor
acl AuthOkay_ReadOnly http_auth(STATSUSERS)
acl AuthOkay_Admin http_auth_group(STATSUSERS) XXXXXX
stats http-request auth realm admin_page unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin
The error message is as shown below and it comes from the backend servers, and by reading your requests and expertise, I am starting to realise that the problem was never the HaProxy.
âRead feeling stupid right nowâ
I do not master HaProxy either.
HaProxy log does not show any error.
Without this deny, everything works like a charm without problems.
ERROR: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
Thank you