Re: HAProxy returning 502 with SH--

Tue, 27 Aug 2024 09:39:48 -0700 

Hello,

On Tue, 27 Aug 2024 at 18:09, BJ Taylor <b...@greenseedtech.com> wrote:
>
> Here are the 502 logs from the last run after the config changes.
>
> 2024-08-26T09:29:02.547581-06:00 testserver haproxy[284569]: <134>Aug 26 
> 09:29:02 haproxy[284569]: 192.168.69.101:45382 [26/Aug/2024:09:29:02.545] 
> www~ front3/pdafront32 0/0/0/-1/1 502 208 - - SH-- 5/5/3/3/0 0/0 
> {front3.domain.com|} "POST https://front3.domain.com/front1 HTTP/2.0"
> 2024-08-26T11:27:20.748921-06:00 testserver haproxy[284569]: <134>Aug 26 
> 11:27:20 haproxy[284569]: 192.168.69.101:50606 [26/Aug/2024:11:27:20.746] 
> www~ front3/pdafront32 0/0/0/-1/1 502 208 - - SH-- 5/5/3/3/0 0/0 
> {front3.domain.com|} "POST https://front3.domain.com/front1 HTTP/2.0"
> 2024-08-26T14:11:11.289987-06:00 testserver haproxy[284569]: <134>Aug 26 
> 14:11:11 haproxy[284569]: 192.168.69.101:40516 [26/Aug/2024:14:11:11.285] 
> www~ front3/pdafront32 0/0/0/-1/2 502 208 - - SH-- 15/15/7/7/0 0/0 
> {front3.domain.com|} "POST https://front3.domain.com/front1 HTTP/2.0"
> 2024-08-26T17:40:55.801154-06:00 testserver haproxy[284569]: <134>Aug 26 
> 17:40:55 haproxy[284569]: 192.168.69.101:53952 [26/Aug/2024:17:40:55.798] 
> www~ front3/pdafront32 0/0/0/-1/1 502 208 - - SH-- 10/10/1/1/0 0/0 
> {front3.domain.com|} "POST https://front3.domain.com/front1 HTTP/2.0"

This indicates that your backend applications crashes or at least does
not complete the HTTP response header after 208 bytes.

It possible that "show errors" on the haproxy admin socket gives your
more insight into what the HTTP response of your server looks like
(and where it suddenly aborts exactly after those 208 bytes).

Try switching off H2 in the backend, to see if this is H2 related.

If you can switch off SSL on the backend and you can still reproduce
the issue, you may have an easier time debugging this with network
traces.

Otherwise if you have no possibilities to troubleshoot at the backend
application, show errors is not useful and you cannot disable SSL on
the backend, you need to be able to decrypt the backend traffic from a
network trace. Reproducing with a non-FS cipher will allow you to
decrypt the SSL traffic with the certificates private key; otherwise
you have to use client random logging [1] and then decrypt the traffic
in wireshark before analyzing what happens in those last bytes of the
208 byte incomplete HTTP response.



Regards,
Lukas


[1] http://docs.haproxy.org/3.0/configuration.html#3.2-tune.ssl.keylog

Reply via email to