Le 10/19/21 à 16:49, Jim Freeman a écrit :
OK - this is weird (so don't shoot the messenger?).
With more tcpdump-ing and examination, the back-end service logs that it sent a
response, but
1) tcpdump running on the haproxy instance never sees the response !
a) 2 proxies - an AWS ELB and on-instance nginx - lie between HAProxy
instance and the service
2) sans any response (and within 0.2 to 13 seconds of the request send),
HAProxy initiates the PH/500 to the client!
It would make sense to me if any timeouts or disconnects were involved - HAProxy
would report an [sS][DH] or somesuch.
And reverting the sending of the "content-security-policy: frame-ancestors ..."
and "x-frame-options: ..." response(!) headers makes the problem disappear
again. You'll rightly point out that HTTP/1.1 is stateless, and that the prior
history of the request/response stream (and response headers sent to the client)
shouldn't affect the (non-)response to a given request.
Any clues as to how/why the PH/500 might be generated without a response to
trigger it would be most eagerly received. While it is entirely likely this
will wind up being a "nut loose on the keyboard" issue, I just thought I'd share
my observations and befuddlement ...
First of all, I missed a point. The 2.2.8 is quite old. You must upgrade first.
Then, have you check the rewrite error counters on your backend ? Because,
AFAIK, it is the only place where a 500 is possible with the PH termination
state. If you are using http-after-response rules, it may explain this error.
However, share your redacted configuration too. It can help me to explain what
you observe.
--
Christopher Faulet
