How to keep error response code from backend?


#1

Hello, everyone.
I have a question. My backend can return error codes (for example 444) because of security protection. And I want to keep this error code in responses to users. But haproxy replacing them by 502 code. So is there a way to keep error code at the respnses to users?
Best Regards.


#2

Hi.
So, is it possible to do so at HAProxy?

Sest Regards.


#3

Haproxy does not rewrite error codes.

It does however emit a 502 error when:

the server returns an empty, invalid or incomplete response, or when an “rspdeny” filter blocks the response.

https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#1.3.1


#4

Hi, lukastribus.

Thank you very much for the information. Why I did ask this question: we have nginx servers as backends for haproxy. And we’re storing error logs from haproxy and success/error logs from nginx servers. And we saw that at the rate of error messages with code 444 from nginx there was the same rate in error logs of haproxy with code 502.
As manual mented:

502 when the server returns an empty, invalid or incomplete response.

But 444 code is not empty and not incomplete. So what haproxy implimenting as invalid responce? As we can see here: https://tools.ietf.org/html/rfc7231 the 444 HTTP code is not the part of it. So could haproxy read this code as invalid?

Best Regards.


#5

I don’t think the 444 is the reason haproxy rejects the response.

Can you trigger a 444 response with curl directly from nginx and post its verbose output (-vvv)?


#6

Hi, lukastribus.

Thanks for your interest to my case. Regarding your suggestion. We created special url criteria to return 444 responce code and tryed to get it via curl. Here is a resault of this request (i did hide a sensetive information, but it not critical at our case. Also the response code at the logs of nginx server is 444 for this request):
curl -A curl -vvv https://XXXXXXXXXXXXX
* About to connect() to XXXXXXXXXXXXX port 443 (#0)
* Trying XXXXXXXXXXXXX… connected
* Connected to XXXXXXXXXXXXX (XXXXXXXXXXXXX) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=*.XXXXXXXXXXXXX,O=XXXXXXXXXXXXX,L=XXXXXXXXXXXXX,ST=XXXXXXXXXXXXX,C=XX
* start date: Сен 16 00:00:00 2016 GMT
* expire date: Ноя 15 23:59:59 2018 GMT
* common name: XXXXXXXXXXXXX
* issuer: CN=thawte SSL CA - G2,O=“thawte, Inc.”,C=US
> GET / HTTP/1.1
> User-Agent: curl
> Host: XXXXXXXXXXXXX
> Accept: /
>
* HTTP 1.0, assume close after body
< HTTP/1.0 502 Bad Gateway
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<

502 Bad Gateway


The server returned an invalid or incomplete response.

* Closing connection #0

Best Regards,


#7

To be able to undestand why haproxy rejects this response, I need to see the 444 response from nginx, not the 502 error from haproxy.

So instead of pointing to haproxy, please point to the backend directly, without passing through haproxy.


#8

Hi, lukastribus.

Thanks a lot for pointing to this test. We did find that nginx is writing to log the responce code of 444, but in reality it don’t returning anything to a client (* Empty reply from server). So it’s a problem of nginx application.

Once again, thanks a lot. I’m marking your answer as a correct one.

Best Regards.


#9

Now that you are saying it, 444 is a special code for nginx that does exactly what you are experiencing:

http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return

The non-standard code 444 closes a connection without sending a response header.


#10

Funny. Thanks a lot for information. I’ll show it to our engineer that is responsible for nginx servers.
Best Regards.