Hello!
I recently upgraded from HAProxy 1.8 to HAProxy 2.4 on our Ubuntu servers. After spending some time working around headers which were case-sensitive in the .NET app (which I don’t have access to), everything seemed to work, except for file upload which results in a 500 Internal Error.
Interestingly enough, the file upload works with Chrome but doesn’t with Firefox. We’ve been investigating headers again because it is the only track we have, but we haven’t found anything.
I’m interested in any idea that could explain this behaviour and help us fix it so it works with Firefox again.
Thank you very much!
Update: apparently, it is the same with any ‘large enough’ POST request, not only file upload. Is there a specificity with POST on Firefox ?
HAProxy config, redacted for privacy:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level user expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
h1-case-adjust [...] # redacted for privacy
defaults
log global
mode http
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslv %sslc"
option dontlognull
option log-health-checks
timeout connect 5000
timeout client 120000
timeout server 110000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
option h1-case-adjust-bogus-server
frontend pplb
bind 10.0.0.1:80
bind 10.0.0.1:443 ssl crt [...] verify optional # redacted for privacy
bind 10.0.0.1:4430 ssl crt [...] verify none # redacted for privacy
mode http
http-request add-header [...] # redacted for privacy
# ACL redacted for privacy
backend preprod
fullconn 1000
mode http
option httpclose
http-check expect status 200
option httpchk GET /isup
cookie HASESSIONID prefix
server ppweb 10.0.0.2:443 ssl ca-file /etc/ssl/haproxy/cert.pem cookie ppweb check inter 10000 fastinter 2000 maxconn 1000 verify required
http-response del-header X-AspNet-Version
http-response del-header X-Powered-By
http-response del-header X-AspNetMvc-Version
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-Frame-Options SAMEORIGIN
http-response add-header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
http-response set-header Referrer-Policy strict-origin-when-cross-origin
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' fonts.googLeapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com data:; img-src * data:; frame-src mailto: tel: 'self';"
http-response set-header Permissions-Policy "accelerometer=(), geolocation=(), ambient-light-sensor=(), autoplay=(), battery=(), display-capture=()"
Update 2 (resolved): alright, we hadn’t read the documentation well enough. We set tune.maxrewrite=8192 and it worked, so I guess it was a problem of header size.