Hello, I'm trying to diagnose an error I have when issuing POST on a specific website I have. HAProxy is in front and handle HTTPS, with one backend.
The website is called through https, and I got an error with Firefox only (Chrome is fine) when doing a POST request including a specific text file. At this point, I thought the app software was guilty. I tried to get more information on HAProxy side, and I get these flags : ft-xxx~ bk-xxx/<NOSRV> -1/-1/-1/-1/8 400 187 - - PR-- 97/1/0/0/2 0/0 "POST /index.php?/Tickets/Ticket/Reply/11969/1 HTTP/1.1" Extract of the doc : P : the session was prematurely aborted by the proxy, because of a connection limit enforcement, because a DENY filter was matched, because of a security check which detected and blocked a dangerous error in server response which might have caused information leak (eg: cacheable cookie). R : a resource on the proxy has been exhausted (memory, sockets, source ports, ...). Usually, this appears during the connection phase, and system logs should contain a copy of the precise error. If this happens, it must be considered as a very serious anomaly which should be fixed as soon as possible by any means. I do not have any extravagant rule on HAProxy file ... And I do not understand how I can have this error on Firefox and not Chrome. I guess something went wrong on TLS layer ... But the whole website is working on Firefox, only this kind of POST request. Firefox is using TLS v1.2 (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) at that time. show errors on haproxy socket do not show any error. Any advice on where to look after that ? HAProxy config file : global tune.ssl.default-dh-param 1024 tune.maxrewrite 1k tune.ssl.lifetime 3600 tune.ssl.cachesize 1000000 ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 defaults mode http option abortonclose backlog 65536 retries 2 option clitcpka option tcp-smart-accept option tcp-smart-connect balance roundrobin option accept-invalid-http-request maxconn 100000 timeout http-request 10s timeout queue 30s timeout client 25s timeout server 1h timeout tarpit 1m timeout check 2000ms default-server maxconn 10000 fall 3 rise 1 inter 2500ms fastinter 1000ms downinter 5000ms slowstart 30s errorfile 408 /dev/null frontend ft-xxx bind xxx:80 bind xxx:443 ssl crt /etc/ssl/xxx.pem no-sslv3 mode http log xxx.com local3 option httplog option log-separate-errors option dontlognull default_backend bk-xxx redirect scheme https if !{ ssl_fc } bind-process 10 backend bk-xxx mode http bind-process 10 option forwardfor http-request set-header X-SSL %[ssl_fc] http-request set-header X-Forwarded-Proto https source xxx server xxx xxx:80 check weight 1 Thank you all !