Many thanks for your insight and response - I'll check that out. On Tue, Oct 19, 2021 at 3:24 AM Christopher Faulet <[email protected]> wrote:
> Le 10/13/21 à 8:30 PM, Jim Freeman a écrit : > > In adding a couple of new security response headers via haproxy.cfg (one > is 112 > > bytes, the other 32), a few requests are now getting 500 status (PH > session > > state) responses, but "show errors" has 0 entries? Most responses > succeed (all > > have the additional headers), so it's not a problem with the new headers > themselves. > > > > If haproxy generates a PH/500, shouldn't "show errors" show details of > the > > offending response ? > > > > Thanks, > > ...jfree > > ====================== > > # echo "show info" | socat stdio /run/haproxy/stats.sock | grep ^Version: > > Version: 2.2.8-1~bpo10+1 > > > > # echo "show errors -1" | socat - /run/haproxy/stats.sock > > Total events captured on [13/Oct/2021:18:24:15.819] : 0 > > > > # cat /etc/debian_version > > 10.11 > > Hi, > > Only parsing errors are reported by "show errors" command. Here PH/500 > error is > most probably due to a header rewrite error. I have not deeply checked > however. > You can verify my assumption by checking the "wrew" counter in "show > stats" > command output on the stats socket. > > Header rewrite errors are triggered when there is not enough space in the > buffer > to perform the rewrites. By default, 1024 Bytes are reserved in the > buffer, to > be sure to have enough space to perform some rewrites. If you add many > headers > in the response, it may be the problem. You can increase the reserve by > setting > "tune.maxrewrite" global parameter. > > When such error is encountered, HAProxy returns a 500-Internal-Error > response. > You can change that to make it fails silently. To do so, take a look at > the > "strict-mode" http-response action. > > -- > Christopher Faulet >
