Nginx returns 503 when it gets 403 from haproxy

In my environment I have Nginx terminating connections, then sending
them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503
result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.

What I’d really like to do is pass the 403 code back to the user - what
do
I need to do?

On Thu, Apr 14, 2016 at 10:45:36PM -0400, CJ Ess wrote:

Hi there,

In my environment I have Nginx terminating connections, then sending them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503 result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.

What I’d really like to do is pass the 403 code back to the user - what do
I need to do?

Can you provide a small config that shows the problem?

===
http {
upstream haproxy {
server 127.0.0.1:8080;
}
server {
listen 127.0.0.1:8080;
server_name haproxy;
return 403;
}

server {
    listen 8080;
    location / {
        proxy_pass http://haproxy;
    }
}

}

seems to suggest that nginx does what you want.

So - have you a different config; or is your haproxy not issuing a
“clean” 403, or is something else happening on the wire?

f

Francis D. [email protected]

On Thursday 14 April 2016 22:45:36 CJ Ess wrote:

In my environment I have Nginx terminating connections, then sending them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503 result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.

What I’d really like to do is pass the 403 code back to the user - what do
I need to do?

That message suggests that haproxy closes connection before properly
returning
headers. So nginx can’t pass 403 since it can’t get it right from
haproxy.

You should check what is wrong with haproxy.

wbr, Valentin V. Bartenev

It sounds like this is not as straight forward as I had hoped, I’ll do
like
Francis D. said and put together a test case - I’ll get some packet
captures to see what exactly is being sent between all the components.

Ok, I figured it out. Seems that several years ago someone at my day job
did a custom errorfile in haproxy which returns a 503 error whenever
haproxy intends to return a 403 error. It was forgotten and went
unnoticed
until now. Now we have to figure out if its a cut and paste error or if
there was a legit reason for doing this. Either way its not an nginx (or
haproxy) issue.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs