HAProxy community

Unusual 403 Forbidden Seen

Hi,

We are seeing some unstable issue few of the request are getting passed and few are getting 403 error

[14471] [13/Mar/2020:22:09:38.076] [1584137377.999] 6/6/4/0/0/0/3 77/-1/-1/-1/77 PR-- 2xx.9xx.6xx.2xx:6338 10.110.1.227:443 -:- https_frontend~ request_header={#7B#22xxxxxxx#22:#22xxxxxxxxxxxx#22,#22oemId#22:#22xxxxxxxxx1#22,#22products#22:[#7B#22spProductReference#22:#22xxxxxxxxxxxxxxxxxxxxxx#22,#22productId#22:#22xxxxxxxxxxxb7f90#22#7D],#22requestContext#22:#7B#22requestId#22:#22xxxxxxxxxxxxx-8fbe3fe6429b#22,#22correlationId#22:#22xxxxxxxxxxxxx-fb8703a925bc#22,#22requesterId#22:#22xxxxxx#22#7D#7D|xxxxxx.com|||} ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,xxxxxxxx,“200114165847Z”,“230113165847Z”,"/CN=xxxxxxxx"} “POST /foo/bar/foo/bar/1/0/fooo HTTP/1.1” 403 service_backend: - - req_size=772 resp_size=212

[14471] [13/Mar/2020:22:09:38.076] [1584137377.999] 6/6/4/0/0/0/3 77/-1/-1/-1/77 PR-- 2xx.9xx.6xx.2xx:6338 10.110.1.227:443 -:- https_frontend~ request_header={#7B#22xxxxxxx#22:#22xxxxxxxxxxxx#22,#22oemId#22:#22xxxxxxxxx1#22,#22products#22:[#7B#22spProductReference#22:#22xxxxxxxxxxxxxxxxxxxxxx#22,#22productId#22:#22xxxxxxxxxxxb7f90#22#7D],#22requestContext#22:#7B#22requestId#22:#22xxxxxxxxxxxxxxx-8fbe3fe6429b#22,#22correlationId#22:#22xxxxxxxxxxx-fb8703a925bc#22,#22requesterId#22:#22xxxxx#22#7D#7D|xxxxxx.com|||} ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,xxxxxxxx,“200114165847Z”,“230113165847Z”,"/CN=xxxxxxxx"} “POST /foo/bar/foo/bar/1/0/fooo HTTP/1.1” 200 service_backend:service_backend - - req_size=772 resp_size=428

We have deny rules only for http methd and if there is no client certificate is added while request has made

    acl                     valid_method method GET HEAD POST
    http-request            deny if !valid_method
    http-request            deny if { path_beg /foo } !{ ssl_fc_has_crt }

Can someone please help in this

Probabily it’s a resumed session, the documentation explicitly warns against this:

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.4-ssl_fc_has_crt

Note: on SSL session resumption with Session ID or TLS ticket, client certificate is not present in the current connection but may be retrieved from the cache or the ticket. So prefer “ssl_c_used” if you want to check if current SSL session uses a client certificate.

@lukastribus Thank you so much for the help, it worked!!!

1 Like