haproxy is blocking http response with error “invalid response”. Haproxy Log gives PH 502 bad gateway.
setting option accept-invalid-http-response does not work
I am not seeing anything wrong with the header though. This was working fine when we were in version 2.4. Issue started after upgrading to version 3.0.3
socat gives the below error output:
backend be_xxx.xxx.com (#199): invalid response
frontend FE01 (#2), server 1 (#1), event #66, src xx.xx.xx.228:40675
buffer starts at 0 (including 0 out), 30143 free,
len 2625, wraps at 32720, error at position 640
H1 connection flags 0x80000100, H1 stream flags 0x00014840
H1 msg state MSG_CHUNK_SIZE(26), H1 msg flags 0x00011736
H1 chunk len 0 bytes, H1 body len 0 bytes :
00000 HTTP/1.1 201 \r\n
00015 X-Application-Context: api-gateway-service:8081\r\n
00064 Access-Control-Allow-Origin: https://xxx.xxx.com\r\n
00126 Vary: Origin\r\n
00140 Access-Control-Allow-Credentials: true\r\n
00180 Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE\r\n
00238 Access-Control-Max-Age: 3600\r\n
00268 Access-Control-Allow-Headers: Content-Type, Accept, X-Requested-With,
00338+ Authorization\r\n
00353 Access-Control-Expose-Headers: Content-Range\r\n
00399 X-Content-Type-Options: nosniff\r\n
00432 X-XSS-Protection: 1; mode=block\r\n
00465 X-Frame-Options: DENY\r\n
00488 Transfer-Encoding: chunked\r\n
00516 Date: Mon, 10 Mar 2025 07:30:33 GMT\r\n
00553 Connection: close\r\n
00572 Content-Type: application/vnd.Analyttica.TreasureHunt.Token+json\r\n
00638 \r\n
00640 {“authorization”:“eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJlY3dfdXNlckBhbmFseXR
00710+ 0aWNhLmNvbSIsImF1ZGllbmNlIjoid2ViIiwiY3JlYXRlZCI6MTc0MTU5MTgzMzY2MiwiZ
00780+ XhwIjoxNzQyMTk2NjMzLCJ0ZW5hbnQiOiJhbmFseXR0aWNhIn0.ckKypc4CSCYOhb95qRW
00850+ wjKxUMxpAXUO_EHXDxk1ARSNb5VOmtqNhGsTQ5NY-FEACEWWy0Z5Hm9VT9Ok2cKbLtA”,"
00920+ user_id":3,“joyride_locked”:true,“welcome_message_locked”:false,“tenan
00990+ t_name”:“analyttica”,“tc_accepted”:true,“can_user_enroll_free”:true,“c
01060+ an_user_enroll_paid”:true,“can_console_open”:false,“restricted_for_mul
01130+ tiple_logins”:false,“signup”:false,“_links”:{“lock_joyride”:{“href”:“/
01200+ users/3/lock/joyride”,“method”:“POST”,“accept”:“application/json”,“typ
01270+ e”:“application/json”},“notification”:{“href”:“/users/3/notifications”
01340+ ,“method”:“GET”,“accept”:“application/json”,“type”:“application/json”}
01410+ ,“accept_tc”:{“href”:“/users/3/lock/acceptTC”,“method”:“POST”,“accept”
01480+ :“application/json”,“type”:“application/json”},“preloaded_datasets”:{"
01550+ href":“/projects/datasets/preloaded”,“method”:“GET”,“accept”:“applicat
01620+ ion/vnd.Analyttica.TreasureHunt.PreloadedDatasets+json”,“type”:null},"
01690+ all_notification":{“href”:“/users/3/allNotifications”,“method”:“GET”,"
01760+ accept":“application/json”,“type”:“application/json”},“notification_ma
01830+ rk_all_read”:{“href”:“/users/3/notifications/markAllRead”,“method”:“PO
01900+ ST”,“accept”:“application/json”,“type”:“application/json”},“user_profi
01970+ le”:{“href”:“/users/3/profile”,“method”:“GET”,“accept”:“application/vn
02040+ d.Analyttica.TreasureHunt.UserProfile+json”,“type”:null},“lock_welcome
02110+ _note”:{“href”:“/users/3/lock/welcomenote”,“method”:“POST”,“accept”:“a
02180+ pplication/json”,“type”:“application/json”},“notification_count”:{“hre
02250+ f”:“/users/3/notifications/count”,“method”:“GET”,“accept”:“application
02320+ /json”,“type”:“application/json”},“get_address”:{“href”:“/users/3/addr
02390+ ess”,“method”:“GET”,“accept”:“application/json”,“type”:null},“marketpl
02460+ ace_courses”:{“href”:“/users/3/marketplace-courses”,“method”:“GET”,“ac
02530+ cept”:“application/vnd.Analyttica.TreasureHunt.MarketplaceCourseCollec
02600+ tion+json”,“type”:null}}}
Output of haproxy -vv:
HAProxy version 3.0.3-95a607c 2024/07/11 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2029.
Known bugs: http://www.haproxy.org/bugs/bugs-3.0.3.html
Running on: Linux 4.18.0-553.32.1.el8_10.x86_64 #1 SMP Wed Dec 11 16:33:48 UTC 2024 x86_64
Build options :
TARGET = linux-glibc
CC = cc
CFLAGS = -O2 -g -fwrapv
OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1
DEBUG =
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION -QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-20)
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
: mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace