Issue with connecting to backend API via HAProxy

Help!
1

Hello everyone!

Hope you’re all having an incredible day! (not me unfortunately)

I’m currently seeking for help on one issue that we’re facing with our setup on HAProxy. Here’s the situation:

  • We recently upgraded our HAProxy to version 2.0.31 as part of the security requirements, no other changes on our infrastructure.
  • Previously we were able to reach our backend API at https://example.com/api (via HAProxy of course) and now we’ve got error “400 Bad Request”.
curl --insecure https://example.com/api
<H1>400 Bad Request</H1>

However, the strange thing is when we pass in the header “User-Agent” to the request, no error 400 is returned

curl --insecure -H "User-Agent:*" https://example.com/api
<FORM METHOD=POST autocomplete=new-password style="max-width:300px;margin:auto"><HEAD><TITLE>Authorization Required</TITLE></HEAD><H2>Authorization Required!</H2><label for=user>Username</label><br><input id=user name=username type=text><br><label for=pass>Password</label><br><input id=pass name=password type=password><br><INPUT TYPE=HIDDEN NAME=csrf_token VALUE="79a404327c6afb987b894ff339faab0e277688be">
<INPUT TYPE=submit VALUE=submit>
</FORM>
  • With that being said, I’m attaching the config of our setup as below:

    frontend front_PROD
    log-format “%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r”
    mode http
    bind 10.10.0.219:443 ssl crt /etc/haproxy/certificates/
    maxconn 80000
    timeout connect 1800s

    acl acl_examplecom hdr(host) -i example.com

    backend back_examplecom
    mode http
    http-request set-header User-Agent %[hdr(User-Agent)]
    server srv_examplecom 10.10.0.1:443 check ssl verify none sni ssl_fc_sni

    use_backend back_examplecom if acl_examplecom

I’d appreciate so much if you have any ideas on this. Thank you in advance for checking this out.

Best regards,
Son.

2

What was the previous version that you used?

2.0 is in critical fixes only mode, nobody uses this release branch, it is basically unsupported. Please check haproxy.org for reference.

Why would you overwrite the User-Agent with the User-Agent? Please remove it from the configuration.

Haproxy always maintains the User-Agent of the client, there is nothing that needs to be configured to maintain the User-Agent of the client.

3

Hello,

Thanks for the response on this.

The previous version we were using is 1.8 and the decision to update was just made recently. After that we started encountering the issue as aforementioned, that’s why we are considering the new version might contribute to that also. The set-header in the configuration was added as a test only after multiple attempts from our side.

We will check further on this and will switch to higher version if possible.

Thank you and have a great day ahead!
NGUYEN Nhat Son