Le 10/13/21 à 8:30 PM, Jim Freeman a écrit :
In adding a couple of new security response headers via haproxy.cfg (one is 112
bytes, the other 32), a few requests are now getting 500 status (PH session
state) responses, but "show errors" has 0 entries? Most responses succeed (all
have the additional headers), so it's not a problem with the new headers themselves.
If haproxy generates a PH/500, shouldn't "show errors" show details of the
offending response ?
Thanks,
...jfree
======================
# echo "show info" | socat stdio /run/haproxy/stats.sock | grep ^Version:
Version: 2.2.8-1~bpo10+1
# echo "show errors -1" | socat - /run/haproxy/stats.sock
Total events captured on [13/Oct/2021:18:24:15.819] : 0
# cat /etc/debian_version
10.11
Hi,
Only parsing errors are reported by "show errors" command. Here PH/500 error is
most probably due to a header rewrite error. I have not deeply checked however.
You can verify my assumption by checking the "wrew" counter in "show stats"
command output on the stats socket.
Header rewrite errors are triggered when there is not enough space in the buffer
to perform the rewrites. By default, 1024 Bytes are reserved in the buffer, to
be sure to have enough space to perform some rewrites. If you add many headers
in the response, it may be the problem. You can increase the reserve by setting
"tune.maxrewrite" global parameter.
When such error is encountered, HAProxy returns a 500-Internal-Error response.
You can change that to make it fails silently. To do so, take a look at the
"strict-mode" http-response action.
--
Christopher Faulet
