[RESOLVED] Upgraded to HAProxy 2.4 and large POST requests stopped working with Firefox


I recently upgraded from HAProxy 1.8 to HAProxy 2.4 on our Ubuntu servers. After spending some time working around headers which were case-sensitive in the .NET app (which I don’t have access to), everything seemed to work, except for file upload which results in a 500 Internal Error.

Interestingly enough, the file upload works with Chrome but doesn’t with Firefox. We’ve been investigating headers again because it is the only track we have, but we haven’t found anything.

I’m interested in any idea that could explain this behaviour and help us fix it so it works with Firefox again.

Thank you very much!

Update: apparently, it is the same with any ‘large enough’ POST request, not only file upload. Is there a specificity with POST on Firefox ?

HAProxy config, redacted for privacy:

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level user expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        tune.ssl.default-dh-param 2048
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        h1-case-adjust [...] # redacted for privacy

        log     global
        mode    http
        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslv %sslc"
        option  dontlognull
        option  log-health-checks
        timeout connect 5000
        timeout client  120000
        timeout server  110000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
        option h1-case-adjust-bogus-server

frontend pplb
    bind ssl crt [...] verify optional # redacted for privacy
    bind ssl crt [...] verify none # redacted for privacy
    mode http
    http-request add-header [...] # redacted for privacy

# ACL redacted for privacy

backend preprod
 fullconn 1000
 mode http
 option httpclose
 http-check expect status 200
 option httpchk GET /isup
 cookie HASESSIONID prefix
 server ppweb ssl ca-file /etc/ssl/haproxy/cert.pem cookie ppweb check inter 10000 fastinter 2000 maxconn 1000 verify required
 http-response del-header X-AspNet-Version
 http-response del-header X-Powered-By
 http-response del-header X-AspNetMvc-Version
 http-response add-header X-XSS-Protection 1;\ mode=block
 http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
 http-response add-header X-Content-Type-Options nosniff
 http-response add-header X-Frame-Options SAMEORIGIN
 http-response add-header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
 http-response set-header Referrer-Policy strict-origin-when-cross-origin
 http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' fonts.googLeapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com data:; img-src * data:; frame-src mailto: tel: 'self';"
 http-response set-header Permissions-Policy "accelerometer=(), geolocation=(), ambient-light-sensor=(), autoplay=(), battery=(), display-capture=()"

Update 2 (resolved): alright, we hadn’t read the documentation well enough. We set tune.maxrewrite=8192 and it worked, so I guess it was a problem of header size.