Caddy is rejecting cookies above 3 KB

Help
1

1. The problem I’m having:

Caddy is rejecting cookies more than 3 KB of size.

What our Application Do:
Our application uses on_demand tls to generate certificates using custom endpoint

2. Error messages and/or full log output:

{
  "level": "error",
  "ts": 1727093588.6403708,
  "logger": "http.log.access.log1",
  "msg": "handled request",
  "request": {
    "remote_ip": "REDACTED",
    "remote_port": "REDACTED",
    "client_ip": "REDACTED",
    "proto": "HTTP/2.0",
    "method": "GET",
    "host": "qr.yggh.com",
    "uri": "/mIm5",
    "headers": {
      "Sec-Fetch-Dest": ["document"],
      "Priority": ["u=0, i"],
      "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""],
      "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"],
      "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],
      "Sec-Fetch-Mode": ["navigate"],
      "Upgrade-Insecure-Requests": ["1"],
      "Accept-Language": ["en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7"],
      "Cookie": ["cookieName=cookieValue; largeCookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""],
      "Sec-Fetch-Site": ["none"],
      "Accept-Encoding": ["gzip, deflate, br, zstd"],
      "Sec-Ch-Ua-Mobile": ["?0"],
      "Sec-Ch-Ua-Platform": ["\"macOS\""],
      "Dnt": ["1"],
      "Sec-Fetch-User": ["?1"]
    },
    "tls": {
      "resumed": true,
      "version": 772,
      "cipher_suite": 4865,
      "proto": "h2",
      "server_name": "qr.dss.com"
    }
  },
  "bytes_read": 0,
  "user_id": "",
  "duration": 0.002290029,
  "size": 150,
  "status": 502,
  "resp_headers": {
    "Server": ["Caddy", "awselb/2.0"],
    "Alt-Svc": ["h3=\":443\"; ma=2592000"],
    "Report-To": ["{\"group\":\"default\",\"max_age\":86400,\"endpoints\":[{\"url\":\"https://fdfd.report-uri.com/a/d/g\"}],\"include_subdomains\":true}"],
    "Referrer-Policy": ["strict-origin"],
    "Content-Type": ["text/html"],
    "Content-Encoding": ["zstd"],
    "Date": ["Mon, 23 Sep 2024 12:13:08 GMT"],
    "Vary": ["Accept-Encoding"],
    "Strict-Transport-Security": ["max-age=31536000;includeSubdomains"],
    "X-Frame-Options": ["DENY"],
    "X-Xss-Protection": ["1; mode=block"]
  }
}

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

Installed using systemd service in ubuntu 22.04

a. System environment:

PRETTY_NAME=“Ubuntu 22.04.5 LTS”
NAME=“Ubuntu”
VERSION_ID=“22.04”
VERSION=“22.04.5 LTS (Jammy Jellyfish)”
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian

UBUNTU_CODENAME=jammy

architecture: aarch64

b. Command:

caddy validate
caddy reload

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:


{
       

        on_demand_tls {
                ask https://xxxxx/custom-domain/ssl-allowed/
        }

        servers {
                metrics
                log_credentials
        }
}

:2018 {
        log {
                output file /var/log/caddy/access_metrics.log {
                        roll_size 100mb
                        roll_keep 10
                        roll_keep_for 720h
                }

                format json
        }

        encode zstd gzip #compresssion

        metrics
}

:443 {
        log {
                output file /var/log/caddy/access.log {
                        roll_size 100mb
                        roll_keep 10
                        roll_keep_for 720h
                }

                format json
                level debug
        }

        encode zstd gzip #compression

        reverse_proxy http://dsdsd.us-west-2.elb.amazonaws.com {
               
        }
        tls {
                on_demand
        }

        header {
                # Response Headers
                #X-Content-Type-Options nosniff
                X-Frame-Options DENY
                X-XSS-Protection "1; mode=block"
                Referrer-Policy strict-origin

                #csp

                #Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' dss.s3.amazonaws.com *.diageohorizon.com *.dsfs.com *.googletagmanager.com *.youtube.com"

                # enable HSTS
                Strict-Transport-Security max-age=31536000;includeSubdomains

                # Reporting

                #max age  one day
                Report-To: {"group":"default","max_age":86400,"endpoints":[{"url":"https://dda.report-uri.com/a/d/g"}],"include_subdomains":true}
        }
}

5. Links to relevant resources:

I tried these solution but issue is same

header_down -Set-Cookie
max_header_size 10 MB

If I manually increase cookie size from browser, the website is giving 502 Bad Gateway

I tried increasing max header size with this command

max_header_size 10MB

but issue is still same

Please help us to resolve this issue. Any help will be deeply appreciated .

Thanks
Deepak Tiwari

2

Enable the debug global option to get more detail about what’s going on in the proxy.

I don’t think this is an issue with Caddy, I don’t see evidence of that. Are you sure it’s not just your upstream app not handling it? You’re sending the request through Amazon, are you sure they don’t have some header size limitation on their end?

1 Like
3

Here is debug logs

{
    "level": "debug",
    "ts": 1727114848.097292,
    "logger": "http.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "random-load-balancer-12345678.us-west-2.amazonaws.com:80",
    "duration": 0.001992674,
    "request": {
        "remote_ip": "REDACTED",
        "remote_port": "51950",
        "client_ip": "REDACTED",
        "proto": "HTTP/2.0",
        "method": "GET",
        "host": "qr.abc.com",
        "uri": "/mIm5",
        "headers": {
            "Accept-Encoding": ["gzip, deflate, br, zstd"],
            "Upgrade-Insecure-Requests": ["1"],
            "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/REDACTED Safari/537.36"],
            "Cookie": ["REDACTED"],
            "X-Forwarded-For": ["REDACTED"],
            "X-Forwarded-Proto": ["https"],
            "X-Forwarded-Host": ["qr.abc.com"]
        },
        "tls": {
            "resumed": true,
            "version": 772,
            "cipher_suite": 4865,
            "proto": "h2",
            "server_name": "qr.abc.com"
        }
    },
    "headers": {
        "Content-Type": ["text/html"],
        "Content-Length": ["524"],
        "Connection": ["keep-alive"],
        "Server": ["awselb/2.0"],
        "Date": ["Mon, 23 Sep 2024 18:07:28 GMT"]
    },
    "status": 502
}

As we are using AWS Application Load balancer as reverse proxy. I raised support ticket with AWS Support and find out that they have a limit of 16 KB cookie size.

reply from AWS

Based on our current quotas of the ALB, the single HTTP header size couldn’t exceed 16 K and it’s not adjustable[1]. So the cookie limit size of the ALB is not configurable.

link: Quotas for your Application Load Balancers - Elastic Load Balancing

But When I am injecting cookies more than 3 KB in size. The server is giving 502 error

Screenshot 2024-09-23 at 11.52.48 PM
Screenshot 2024-09-23 at 11.52.48 PM2132×202 5.21 KB

4

Are you able to craft a curl -v with your 3KB cookie to match the request Caddy sent, and send that off to the upstream and see what you get?

It really looks like Caddy’s doing its job just fine, and something upstream can’t handle it, and trying to curl that cookie in will tell us whether it’s actually a problem with Caddy or if you need to troubleshoot elsewhere.

5

I tried with curl -v command

Here I have Injected random cookies more than 3 K B size

curl -v \
  -H "Host: [qr.abcjc.com]" \
  -H "Accept: */*" \
  -H "Accept-Encoding: gzip, deflate, br, zstd" \
  -H "Upgrade-Insecure-Requests: 1" \
  -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" \
  -H "Sec-Fetch-Site: none" \
  -H "Sec-Ch-Ua: 'Google Chrome';v='129', 'Not=A?Brand';v='8', 'Chromium';v='129'" \
  -H "Sec-Fetch-Mode: navigate" \
  -H "Cookie: $(head -c 4000 /dev/urandom | base64)" \
  -H "Sec-Ch-Ua-Platform: 'macOS'" \
  -H "Dnt: 1" \
  -H "Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7" \
  "http://my-alb.us-west-2.elb.amazonaws.com"

This was my response

Host my-alb.us-west-2.elb.amazonaws.com:80 was resolved.
* IPv6: (none)
* IPv4: alb-tg-ip,alb-tg-ip1
*   Trying caddy-instance-ip:80...
* Connected to my-alb.us-west-2.elb.amazonaws.com (caddy-instance-ip) port 80
> GET / HTTP/1.1
> Host: qr.abcjc.com
> Accept: */*
> Accept-Encoding: gzip, deflate, br, zstd
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
> Sec-Fetch-Site: none
> Sec-Ch-Ua: 'Google Chrome';v='129', 'Not=A?Brand';v='8', 'Chromium';v='129'
> Sec-Fetch-Mode: navigate
> Cookie: yVtF73uyplqBRHopzPN4QyWHqvOBRwTjo2+Bozgf1Bi6YCfREp2qQyLQHVpJvCU/XxNfj13LdfL1NSTjlVXqYOIey52lwTkO3Jtk7ziV/eYrxEzXODGSWsGUr+nNk5qeCQuZYiH7r+DMlX6RnzmNwDzvYYd5nPiA/JsMzd8IkIb3FH9axpAGxAYc5oPgzu2XwPCROTvg0mAdML2+xm0Nh5k0sA1bV+B9OnLkn7jYIvUewoaCjz3j5KqaUNeqqWrjhDs0g7h+yroMgt2bP1aHKR+OKyp/QHG8AixJ8YsJDpP0jMZ6j0XbmqY2ht9PAskbW+OXPWvo+l59z00i3GiGiO8uaCQ/Y1WUdJE1Z7bQVEwSz0NVEcYzxCs6eQhcd41LqrElUZymFFWbbAIq+I5DEMsm/dmTFUtg/0XIMqcfCBnbqlvO6vAelwTj4OiVmtUQ8lsJVvQH0Te+yGykB0sCW554M4Dp4XlfxP9JW01sJROwATxbWJdBE5Li4Gduqi7d5uzy2UsyQHEtOqShm7C6zPOxY5DgfsLqUIl6jB6oai3NSm2g+OKyWyATivD3e+2EZKpFeLperha+w1gufzBajiZFyi3yXBOF1W22lBwscLY7VzxeVQCq0nBphNK4M8z26j00SGtmQW+2cwbG13a7tTY/3UaDjk1hOkCYZEB70sYMJokCCplzImOTy3id22oiXPzbt4TpvdQ5Ede0LzBrlbYWCbtkC9tSGQrpB0A2HWlrJ2ICPYTykBMHE2t+PwAfLLS99nEhtiuUhkj5U8OOSCmknhJrRGaZbWSlf8oovjV6c2sBlp+Niu/wCS3AZ+706Z6Pfti3zvTvpALcuZqpTRO8FyB8b3cnTHwSj464+F7spnc1Bi1qSOh1ZlbCn+r+T4/fU0GJZJl3nQKHaIaJK83jv68U002DBKpV1gsz6bCR8WJFSJmYtGfV+Yu/CgfFMqYFJEBYj/cFi7kimHgpryEcC2CbXMGbrfVMPDH0pszDkPFqDQ8PakJlfsyb7tQd9VdooCKtdOR1T4lF/ShXv3BdWgN/jifYY5JfodtCQbl8Zw/P8U3jefTEHIsV6tkKdF/GkKPw6uEuEz1IKNsWBEuTDZ94UwoJXUSZ0KvPT1tS4FOkbSZDkY7nt735zw+s5UmdJvtftz4HhjOcxY8m6l4nv8SW74l/C/pvWzIbxUD2OAgWTLftH/t3swYfMV2FRfvChG+ePxsE1ZQeykKdt0TRGH8AmPK5IxIEf251UhwALGr6ifIursLdxSqBarGGOfskwWPeLhZECEsl1UabeCpYe4NTYvSxSUmPTKPtnxaL5uIU3uH1WtHrtqb/WnJECC0Am+q2+I1E5u3XKVRM7enK7mYvvNrxDGQiYDqVYH75zOFS/sQuC/0hcB7uB+g3o01LXgcLk8qkPfVsrVkPIfxN657E0tYm15WFfEId7zhHhSNQiWcO6m38Jcv17eKP+F4ZTfaAkbtxNpu74ZyxcCCPtuWmBxyTYqWnViUNASQQlXXmVnqUgxBto8AjxYR/n2MOQaXp6cQhWMdlZ6BXocC59OxbcPuUjvSyqu8sndlMO9wsbOmztGIF6qhOS3Z9HdBfn2QV+qqm2vrmhzLWQ8ZLnDnJaS1QUkoib5QFG7amjbeFLaCiXc3WoOWRhy68Pr0oKn7n3mK8rl51NtH5vr2IANRe7mLIu/LuWnEb5RCP5+iudgvjQ7PWh6QWpy7DwCigg1t63Xgrx9PZdBQUMGIG17QJGGny9tgeSAdhC33mNOuKgeKXRvgw9m1B7nQe+z1ae3B9xgNcZ2FFBmC4WffbO+GKhMzkJoNQUbslKla4lnKgwJx3jRtuVXFUuuBZgVVXAbFScBigHEy7k1RNWnnDDL/0teiiqvAjyFt2BlMQlos0KIrQsn8qjCVbApq15+hx548Tj75mAY7sfWa5aMOJNcfl+u1OMsyDN2PPmQzvexYu5p5ZDCBYwaHc7PHCm3ymsdKl46h2KtmyFF8KcVCfP2vya2Nht86qfRZc0xfsa2l4cJheSRSMs0OSDzoaWf6rFpCfBvFeqcRO0cq7JKzrkMsh4VQoFHsRRYgKkvxdOka/W5UPOuDYSpv+oJUUH3K4vsmodyCBCLV1cKFvO4BXiTrc+ReYQBAy/FmPCwdzV5W55T5RJ55i1Xt8oEJhkcJe5SHJjTVk5DW7+wD000YSuBc5XWN0rWjXYhG/gnrPSLfKxQm/gOyQ3Jh+ReeAn+G/u2YkDjgmnQwuGeXiVA+0iDj7st7eFhD83IoVFKNyBHbos31bTfjT5B0aq4icHDsiAamI6UvpQ2z486fErpqRd4FD9Zd/v+m0CuuPV5wCXOpGSod4FfVVUfbKXixNw79YQfgZSqADWUwg1chUfedv1WhcoqrUi2i2nXGOvhvxshmqCZPDDeIGedqWt0wW4WlTMSq7UDVJmgXwodDHDLJt/QZneo1+Z5Yq1itDeyP423fMipHO/fz16ToGT+UCITDNjNy2MjMM43xM39hi0PAPXKOAec1pEk3KdY8xE6H8TqvKn3Aykh5pwksOntQkZFQSoChtzfaY9WyEgQpW9MD9jWDt1dWOd4goZhLpPO3iSfh9xZ9ATTRPEr9do65OEHOVcdYKlcbJJ/xQV4LetJnCGvYXwMDJGPf+uxUYMHDrebSCknfIQbF906omke2jXNWaaNcswWKpW3/8QGdI5QEqE1BpQwUZfqXXGO9vNPl1QqkHUzxXLFva2ZwCQPawTbHmfCAXNm/g8RmBwtrqcBxPho67ZAW4SQcezcaGH7P6JHAvUu2/B3mLoIRI79fjtmh7uVDRpCFib/HNNuG8CEN8EVBh/qHocvbucP9DgMbS3oX0xe1O2zUY165OX3rYNoRJbq3QXwhxyd6SK9XYYSRVHTMeQ+nLTMAdH4NsIIvwBW/UNylwR3D7AmJVv1aEJsfnzAHaI5v2peDh9r/YNYQc2x99DA8/e7AfKyyz2+lAOOrZVptNk23wanAn8gwyqCca44TChh+CFA6ZUz0XLSQQhg+8IvedKTiKUKciUbCSSkGGw/tLqjEIEo1XBZpKDtlDEwVS++flO+DSPRCaLIyO/wLP+dxZOWAHvRO9uw/JLxh5QM6YQ1TFVt5CFdV+fTpTpZfmWT9BtAXBKxK6CizruR/C/byQ0YLocb7i8Kt/QJTIdPsm/JKcrkS0D8QAWR0dGITqKGtSuwOXfq6QNMbhJ8oZadK09W24hdTDslcAZBdSgGrx1HPDhNoKvFD7uv9c/KNJBHwesAxHirbY5oAP3zE/ldsfrcFBPbNmDrIxWPUIFRVWO/RK1WBdCgZg7dpPAVBMskkS/HNY5sAET+ot296NpM3CizA+jYI9X9hylNbOHE1aF+5iB4IGKrmmuM7m6QVd3q2DCJ2RCBsqHC1Js0zxGpayXxY4OEpXutiga1YEEET/e49+Tt36GIKKVIiioFjpixj+w+5v6/oYyWAkkbM85hLJxq5mjh1z0uQewKzXv7gLW8UG6leJilUkHwLo6CnJ3IWBI4GkfFyO9hMTow60flEFyfltbXb2ccxBejF2DrdyDJjHAnweIkBNzFB613VpUciZGVhiBeVJ+CB8kS32fJa2nU/SEaXQbNBx8E86rAigVFZlzo08tDhP/6jteuPYkhCB3mL5sJOjJ9gTdkBypCZX6f6shVCao/d9XcpnU8A8JdVjOcFQnYBoLmbCBHU+dEHjJU0Tlo3IjUFHAYyShxR5mvLlRIQEcfLh8KRHsDQL5AcQeQQR32c6HDocclgh1N2Pw3v/LsKNuWdW/wsYZyadpKA6I026LFtSY5jfREXUMcUFblBuvEmGePT+FZ59hqpd3oTr9ULGb6C49SJNss3WyEMXzg7tbqcPbaxq2gBhEqQGIMA9pO18ABpHmR0T0QHxxY940Z8Yv6oSt0S7tJAsslfWwUpFqj+UJ2xBbQCLIH/7zTblXkS//lpyIu59fCWChOAjMohF1qvPtrjPHwAxvFE71OXEvmkhr3yXN2E8eY9zeuYMa6bJfZy8hwF9kj4YezA6+fFZkDSFoS5fjofgnFUr3/6V3Z2NPLcn96U9Gyq89bw8QPoY43qdvX7Dxxm04cW6yA8wgz0/R9kpGDwpajfPTZkrwqLElQKtMcZX6zlSaf+C+r54xy4djscCNK7duDEaVgySPILDA9ofu0n8ll0IsTJf65EFGZV6PSaVsa0Jao0jHP/JrJ8dYA4PjIP0wWTyi4mLAccWQtZDGxNGNE/2hXeW877nfv36mmx6uCAV6X/N015fCMnJycSjScIcBLPtL/BxHLYDMenaZzDYMtpFtQdAC6GIazInwqobGeKpX11Oi1DKzYhC4yQvQh/3glF1xPuHyKdF37hNcFVJDtx4XlvkD/lftyPYH6s9KDRze/E25/DSCj/6RPxkVG9QP8qYE1F06jQHUbH+QIiiW4J4xJhrnMH+TFQqs8nPgJ8XhgQ3Z3NPrY/eoBeqPqJR01C38heIKb3GbCWMA4uFQvSPLZuynKKIVlTNncGyAI/hhYaZjfWZhxPt5IG+Esp6Y7SLxICPpfuPydVjvMuYXnkt8fsea3BRGARJgK2nPwAI/WT5KJWojBhyw3ZOO0RjI9Zn4jP5lePC3Q4JKZx4ZQ9ubO70l71k4XXQ+m8rvKcNyLh87K2MQQWNKFqLVM6BaO+RscZ9rT8SGFdQESp+fQpWqcdnx6RwCFuhZNpO5Pv2p2v21ZF4n3zqeDDNASlI+FOS2e6quWFcbdCTTXBnrCHg/vxwgjFz5Sknj7Ym93WTGMGPprn7XXjMYTZbefcvh9HWy0NVEeaqK0pQ+g5k1/AOrCbPmF2dFJ6lfMiXNskZrr9BIfU+1P4g5QCfkgo/XbuuIeAHRd9tVuqI+otT+OtHgCDHWKtn16BbJt0L6dWMwsaAToakE+y7DOkVqEObTNG2sncmTtTEeT22D5+z39j2MtEGW6anSLU0CfSit0+pncV8ekYm5S5/QTGT1x3F2Eq9+3D1ApKDDP0yGbxTJahLFvPRMU9vAjnZXWaSPHWc0o5Q80na9sA6e4abHQG4Ghh49ATB7AL0R5GprFTjruQZnSSdcjjwjoHJt/mln4CzAboxbimnxW3deRBlw2CIPu26aDX0qoEG8dN2S9aPh/dbmFJMK5RLJM0QiaMdcwsPuhJG/m+VM08j0y12knSjGaA2S65zKkOE3uqv47C76iCngibC8F8B451H5fAUjSRlremSiOK2kvPPa+TslLNE+KkF3KQmbiH9W8zOtJgg6PWy1F+VGDCe5SVCR2kb9xVUe2hWaWHBtOaezKzSvQLp4csKV3zNLA==
> Sec-Ch-Ua-Platform: 'macOS'
> Dnt: 1
> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
> 
* Request completely sent off
< HTTP/1.1 502 Bad Gateway
< Server: awselb/2.0
< Date: Tue, 24 Sep 2024 04:12:07 GMT
< Content-Type: text/html
< Content-Length: 524
< Connection: keep-alive
< 
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
* Connection #0 to host myalb.us-west-2.elb.amazonaws.com left intact

I have replaced critical information from dummy info.

I dig the logs of AWS ALB and found this:

http 2024-09-24T02:17:29.912537Z app/my-alb/6bfee6ebb7915eb7 caddy-instance-ip:43438 private_ip:32769 0.000 0.001 -1 502 - 3713 277 "GET http://qr.abcjc.com:80/static/plugins/pdfjs-3.11.174/pdf.min.js HTTP/1.1" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" - - arn:aws:alb "Root=1-66f22139-286e5ef221d928c65833b25c" "-" "-" 0 2024-09-24T02:17:29.911000Z "forward" "-" "-" "172.31.63.116:32769" "-" "-" "-" TID_fb2632be8a5e7149a99cd19c0742b548

6

Caddy is reaching the upstream (as evidenced by a Server header in the response), but it responds with a 502. I don’t think it’s a problem with Caddy.

Why do your cookies need to be so big? Why can’t you keep this information differently, e.g. server-side session state, with an identifier in the cookie to do a lookup? That’s the traditional way to do it.

2 Likes
7

Definitely not a problem with Caddy, then.

I’d hesitate to say Caddy can’t be used to help you fix the problem - depending on the yet-unknown nature of the actual core issue - but broadly speaking, there’s nothing to “fix” in Caddy itself. Nothing that Caddy is doing is specifically provoking this 502, as evidenced by the fact it was returned for your curl.

AWS ELB is returning the 502, indicating that it’s actually the upstream server behind it that’s malfunctioning for this kind of request. That’s the best place for you to start investigating.

Going with Francis’ suggestion would definitely be better practice regardless of whether it fixes your issue, too.

1 Like
8

Thanks for the suggestion, After checking the logs and doing additional troubleshooting, I found the issue was in our Django application header length. Once we increased the size of the header. The issue was resolved. Thanks a lot for your help :blush:

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.