Hi Lukas, I had decoded the error message and it didn't make sense. There is no connection limit reached, there are no filters. If you look at the rest of the log line, there were no cookies. In fact, the last part "a security check which detected and blocked a dangerous error in server response which might have caused information leak" is very ambiguous. Is there any detailed explanation? Thanks for the links btw, I completely missed the socket info, and that it was possible to get more detail on the errors via the sockets. I'm going to dig deeper with that and will post a followup.
-Alex On Sat, Nov 22, 2014 at 9:37 PM, Lukas Tribus <luky...@hotmail.com> wrote: > Hi Alexey, > > > > > All, > > > > I've tripled the default buffer size, doubled maxconn and added > > accept invalid http request from client and server. This got rid of a > > large number of the 400 ' s but not all. Any ideas what it could be? > > There's nothing else specific in the logs and haproxy-status is all > > good. > > > First of all, lets decode the original error message first. > > In the log we see "PRNN", which means (according to the docs [1]): > P : the session was prematurely aborted by the proxy, because of a > connection limit enforcement, because a DENY filter was matched, > because of a security check which detected and blocked a dangerous > error in server response which might have caused information leak > (eg: cacheable cookie). > > > Subsequent characters (RNN) don't really matter at that point. > > To find out why exactly the proxy decided to close the connection, I > suggest you enable the unix admin socket and provide show errors [3] > output from there. This will tell us more about the last error. > > Also, you need to provide your configuration, especially timeout, acls > maxconn values etc. Feel free to obfuscate hostnames and IP addresses, > but make sure that everything else remains intact. > > > > Regards, > > Lukas > > > > [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8.5 > [2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2 > [3] > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-show%20errors > > >
