Hi Bernhard,
On Tue, Mar 16, 2010 at 03:52:36PM +0100, Bernhard Krieger wrote:
> Hello,
>
>
> After upgrading to 1.4.1 we getting failures on our XML-interface.
>
> Below the haproxy log entry of the request.
>
> P-FLAG:
> The P indicates that the session was prematurely aborted by the proxy,
> because of a connection limit enforcement, because a DENY filter was
> matched,because of a security check which detected and blocked a
> dangerous error in server response which might have caused information
> leak (eg: cacheable cookie), or because the response was processed by
> the proxy (redirect, stats, etc...).
>
>
> Mar 16 15:17:26 hostname haproxy[17065]: 192.168.4.147:2559
> [16/Mar/2010:15:17:26.483] http-in PP/BACKEND1 0/0/0/167/168 200 16528
> - - PDVN 102/10/9/9/0 0/0 {www.xxxxx} "GET
> /ModulServletEdata?param=searchedata&promotion_id=2473&crcsec=1268744841861&crcsum=11297&casesensitive=0&add_average=25&dec=2&status=1&show_eid_only=false&orderclause=ORDER%20BY%20voter_rating,%20creationdate%20DESC&data_is_like=&ts=31739
>
> HTTP/1.1"
>
> The request is interrupted and so we didnt get the the whole XML-Output.
>
> If i switch back to version 1.3.22, it works without any problems.
>
> I have no idea which rule, securitycheck,... cause this issue!
Do you have any transfer-encoding header in response ? If haproxy manages
to get out of sync with one chunk, it could find something very different
from an hexadecimal size and return an error which could be the same.
And could you please send me (in private if info is sensible) a tcpdump
capture of the exchange as seen from the haproxy machine ? Please use :
$ tcpdump -s0 -npi eth0 tcp
You can even do that with 1.3.22 running, I'll try to feed 1.4 with the
response to see if I can make it fail.
Thanks!
Willy
