Hi.
I have added fcgi trace
```
global
log stdout format raw daemon debug
pidfile /data/haproxy/run/haproxy.pid
# maxconn auto config from hap
# nbthread auto config from hap
master-worker
#tune.comp.maxlevel 5
expose-experimental-directives
trace fcgi sink stdout
trace fcgi verbosity advanced
trace fcgi event any
trace fcgi start now
# turn on stats unix socket
stats socket /data/haproxy/run/stats mode 660 level admin expose-fd listeners
```
and created with that output a issue.
https://github.com/haproxy/haproxy/issues/2568
Regards
Alex
On 2024-05-16 (Do.) 17:05, Aleksandar Lazic wrote:
Hi.
I have a strange behavior with HAProxy and FCGI PHP App.
When I call an admin URL returns HAProxy a 500, after a refresh of the same
page returns the HAProxy 200.
```
10.128.2.35:39684 [16/May/2024:14:54:26.229] craft-cms fcgi-servers/craftcms1
0/0/0/-1/1138 500 15416 - - IH-- 2/2/0/0/0 0/0 "GET /craftcms/admin/settings
HTTP/1.1"
10.131.0.26:46546 [16/May/2024:14:56:01.870] craft-cms fcgi-servers/craftcms1
0/0/0/1511/1514 200 113460 - - ---- 2/2/0/0/0 0/0 "GET
/craftcms/admin/settings HTTP/1.1"
```
How can I debug this 'I' flag which should never happen as the doc say.
https://docs.haproxy.org/2.9/configuration.html#8.5
```
I : an internal error was identified by the proxy during a self-check.
This should NEVER happen, and you are encouraged to report any log
containing this, because this would almost certainly be a bug. It
would be wise to preventively restart the process after such an
event too, in case it would be caused by memory corruption.
```
I use the latest haproxy image haproxytech/haproxy-ubuntu:2.9 in OpenShift
with that config.
```
global
log stdout format raw daemon debug
pidfile /data/haproxy/run/haproxy.pid
# maxconn auto config from hap
# nbthread auto config from hap
master-worker
tune.comp.maxlevel 5
# turn on stats unix socket
stats socket /data/haproxy/run/stats mode 660 level admin expose-fd
listeners
resolvers kube-dns
nameserver dns1 dns-default.openshift-dns.svc.cluster.local:53
accepted_payload_size 4096
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold valid 10s
hold obsolete 30s
defaults
mode http
balance leastconn
log global
option httplog
option dontlognull
option log-health-checks
option forwardfor except 10.196.106.108/32
option redispatch
retries 3
timeout http-request 10s
timeout queue 30s
timeout connect 10s
timeout client 30s
timeout server 30s
timeout http-keep-alive 10s
timeout check 10s
#maxconn 3000
frontend craft-cms
bind *:8080
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
# default check url from appgateway
monitor-uri /health
# https://www.haproxy.com/blog/load-balancing-php-fpm-with-haproxy-and-fastcgi
# fix CVE-2019-11043
http-request deny if { path_sub -i %0a %0d }
# Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length
headers)
http-request deny if { hdr_len(content-length) 0 }
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
# DNS labels are case insensitive (RFC 4343), we need to convert the
hostname into lowercase
# before matching, or any requests containing uppercase characters will
never match.
http-request set-header Host %[req.hdr(Host),lower]
acl exist-php-ext path_sub -i .php
acl fpm-status path /fpm-status
http-request set-path /index.php%[path] if !exist-php-ext !fpm-status !{
path_end .php }
# https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts
# max-age is mandatory
# 16000000 seconds is a bit more than 6 months
http-response set-header Strict-Transport-Security "max-age=16000000;
includeSubDomains; preload;"
default_backend fcgi-servers
listen stats
bind *:1936
# Health check monitoring uri.
monitor-uri /healthz
# provide prometheus endpoint
http-request use-service prometheus-exporter if { path /metrics }
# Add your custom health check monitoring failure condition here.
# monitor fail if <condition>
stats enable
stats uri /
backend fcgi-servers
option httpchk
http-check connect proto fcgi
http-check send meth GET uri /fpm-ping
use-fcgi-app php-fpm
# https://www.haproxy.com/blog/circuit-breaking-haproxy
server-template craftcms 10
"${CRAFT_SERVICE}.${NAMESPACE}.svc.cluster.local":9000 proto fcgi check
resolvers kube-dns init-addr none observe layer7 error-limit 5 on-error
mark-down inter 10s rise 30 slowstart 40s
fcgi-app php-fpm
log-stderr global
option keep-conn
option mpxs-conns
option max-reqs 10
docroot /app/web
index index.php
path-info ^(/.+\.php)(/.*)?$
```
