Hi good morning everyone, I hope everyone can help with this.
So apparently I have a WAF (cloudflare) and load balancer using haproxy stacks and my backends with request flow like client -> cloudflare -> haproxy -> backend server
.
Currently I’m facing a condition where I experience intermittent error 403 NOSRV.
The configuration of Haproxy configuration is as follow:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
tune.bufsize 262144
tune.maxrewrite 32768
tune.maxaccept -1
user haproxy
group haproxy
daemon
defaults
log global
option httplog
no option checkcache
mode http
retries 2
option redispatch
option forwardfor except 127.0.0.1
maxconn 40000
timeout client 620s
timeout server 5m
timeout queue 60s
timeout connect 30s
timeout check 60s
timeout tunnel 1h
timeout tarpit 60s
timeout http-request 5m
option abortonclose
default-server inter 30s
default-server fastinter 5s
default-server downinter 5s
default-server maxconn 1500
default-server maxqueue 1500
default-server on-error fail-check
default-server slowstart 120s
default-server weight 1
fullconn 200000
frontend ssl
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/nyem_digicert.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:XXXXXXXXX
bind 0.0.0.0:80
mode http
tcp-request inspect-delay 5s
option httplog
option dontlognull
option accept-invalid-http-request
option forwardfor except 127.0.0.1
monitor-uri /healthcheck-uri
http-request add-header X-Forwarded-Proto https if { ssl_fc }
acl host_dev hdr_beg(host) -i dev.nyem.com
acl network_private src 10.104.0.0/24
acl path_order_trx path -i -m beg /api-nyem/order/transactions
acl path_order_nyem_trx path -i -m beg /api-nyem/order/nyem/transactions
acl path_order_callback path -i -m beg /api-nyem/order/callback/nyem
acl path_order path -i -m beg /api-ms/order/
http-request allow if path_order_trx
http-request allow if path_order_digiflazz_trx
http-request allow if path_order_callback
http-request deny if path_order !network_private
http-response set-header Cache-control no-cache,\ no-store,\ must-revalidate if { capture.req.uri -m beg /sw.js /sw.js.map }
# backends
use_backend order if path_order
use_backend dev_ws if host_dev
default_backend dev_ws
acl is_http hdr(X-Forwarded-Proto) eq http
redirect scheme https code 301 if is_http
backend dev_ws
mode http
server dev_ws 10.104.0.6:443 ssl verify none maxconn 100
backend order
option httpchk
http-check send meth GET uri /application/health
http-check expect status 200
http-request replace-path /api-nyem(.*) \1
mode http
server dev_order 10.104.0.24:8300 maxconn 100
So let’s say I have 2 API in the backend server:
- POST ‘https://dev.nyem.com/api-nyem/order/nyem/transactions’
- POST ‘https://dev.nyem.com/api-nyem/order/callback/nyem’
So I tried to simulate this CURL:
curl --location --request POST 'https://dev.nyem.com/api-nyem/order/nyem/transactions' \
--data '{
"nyem": "123131"
}'
And it always return perfectly fine with 200. However when I tried to add new endpoint which is POST 'https://dev.nyem.com/api-nyem/order/callback/nyem'
and try to hit it with:
curl --location --request POST 'https://dev.nyem.com/api-nyem/order/callback/nyem' \
--data '{
"id": "12563858",
}'
It intermittently returning error like this:
200:
{"success":false,"code":"FAILED","message":"error","data":"error","serverTime":1694831245}
403:
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
I suspect this request comes from the haproxy because the request was logged in haproxy log with the following details:
200
Sep 16 02:00:56 dev-haproxy haproxy[1388152]: 162.158.162.93:52930 [16/Sep/2023:02:00:56.437] ssl~ order/dev_order 0/0/0/2/2 200 155 - - ---- 62/62/0/0/0 0/0 "POST /api-nyem/order/callback/nyem HTTP/1.1"
403:
Sep 16 02:00:57 dev-haproxy haproxy[1366652]: 162.158.162.53:60206 [16/Sep/2023:02:00:57.252] ssl~ ssl/<NOSRV> 0/-1/-1/-1/0 403 192 - - PR-- 115/115/0/0/0 0/0 {dev.nyem.com|PostmanRuntime/7.32.3|SG|178.128.58.144|80731d91cb4f4912-SIN|178.128.58.144} "POST /api-ms/order/callback/nyem HTTP/1.1"
Do you guys what is the root cause of the intermittent error while the first API works just fine? I’m already on my dead end on this one. Thanks
Oh yah this is my haproxy version:
HAProxy version 2.5.5-1ppa1~focal 2022/03/14 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.5.html
Running on: Linux 5.4.0-113-generic #127-Ubuntu SMP Wed May 18 14:30:56 UTC 2022 x86_64