Hello,
I'm trying to diagnose an error I have when issuing POST on a specific
website I have.
HAProxy is in front and handle HTTPS, with one backend.
The website is called through https, and I got an error with Firefox only
(Chrome is fine) when doing a POST request including a specific text file.
At this point, I thought the app software was guilty. I tried to get more
information on HAProxy side, and I get these flags :
ft-xxx~ bk-xxx/<NOSRV> -1/-1/-1/-1/8 400 187 - - PR-- 97/1/0/0/2 0/0 "POST
/index.php?/Tickets/Ticket/Reply/11969/1 HTTP/1.1"
Extract of the doc :
P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was matched,
because of a security check which detected and blocked a dangerous
error in server response which might have caused information leak
(eg: cacheable cookie).
R : a resource on the proxy has been exhausted (memory, sockets, source
ports, ...). Usually, this appears during the connection phase, and
system logs should contain a copy of the precise error. If this
happens, it must be considered as a very serious anomaly which
should be fixed as soon as possible by any means.
I do not have any extravagant rule on HAProxy file ... And I do not
understand how I can have this error on Firefox and not Chrome. I
guess something went wrong on TLS layer ... But the whole website is
working on Firefox, only this kind of POST request. Firefox is using
TLS v1.2 (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) at that time.
show errors on haproxy socket do not show any error.
Any advice on where to look after that ?
HAProxy config file :
global
tune.ssl.default-dh-param 1024
tune.maxrewrite 1k
tune.ssl.lifetime 3600
tune.ssl.cachesize 1000000
ssl-default-bind-options no-tls-tickets
ssl-default-bind-ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
defaults
mode http
option abortonclose
backlog 65536
retries 2
option clitcpka
option tcp-smart-accept
option tcp-smart-connect
balance roundrobin
option accept-invalid-http-request
maxconn 100000
timeout http-request 10s
timeout queue 30s
timeout client 25s
timeout server 1h
timeout tarpit 1m
timeout check 2000ms
default-server maxconn 10000 fall 3 rise 1 inter 2500ms fastinter
1000ms downinter 5000ms slowstart 30s
errorfile 408 /dev/null
frontend ft-xxx
bind xxx:80
bind xxx:443 ssl crt /etc/ssl/xxx.pem no-sslv3
mode http
log xxx.com local3
option httplog
option log-separate-errors
option dontlognull
default_backend bk-xxx
redirect scheme https if !{ ssl_fc }
bind-process 10
backend bk-xxx
mode http
bind-process 10
option forwardfor
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-Forwarded-Proto https
source xxx
server xxx xxx:80 check weight 1
Thank you all !
