In my environment I have Nginx terminating connections, then sending
them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503
result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.
What I’d really like to do is pass the 403 code back to the user - what
do
I need to do?
On Thu, Apr 14, 2016 at 10:45:36PM -0400, CJ Ess wrote:
Hi there,
In my environment I have Nginx terminating connections, then sending them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503 result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.
What I’d really like to do is pass the 403 code back to the user - what do
I need to do?
Can you provide a small config that shows the problem?
===
http {
upstream haproxy {
server 127.0.0.1:8080;
}
server {
listen 127.0.0.1:8080;
server_name haproxy;
return 403;
}
In my environment I have Nginx terminating connections, then sending them
to an HAProxy upstream. We’ve noticed that whenever HAProxy emts a 403
error (Forbidden, in response to our ACL rules), NGINX reports a 503 result
(service unavailable) and I believe is logging an “upstream prematurely
closed connection while reading response header from upstream” error
message in the nginx error log.
What I’d really like to do is pass the 403 code back to the user - what do
I need to do?
That message suggests that haproxy closes connection before properly
returning
headers. So nginx can’t pass 403 since it can’t get it right from
haproxy.
It sounds like this is not as straight forward as I had hoped, I’ll do
like
Francis D. said and put together a test case - I’ll get some packet
captures to see what exactly is being sent between all the components.
Ok, I figured it out. Seems that several years ago someone at my day job
did a custom errorfile in haproxy which returns a 503 error whenever
haproxy intends to return a 403 error. It was forgotten and went
unnoticed
until now. Now we have to figure out if its a cut and paste error or if
there was a legit reason for doing this. Either way its not an nginx (or
haproxy) issue.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.