Retries for POST requests with body

violuke · April 13, 2024, 5:31pm

1. The problem I’m having:

Automatically retry POST requests (and all other HTTP verbs). In my testing GET requests are being correctly retried with no failures, but POST requests are not. POST requests are being properly retried if they don’t have a POST body, but with a body they are not. I believe the problem is related to buffering the post request bodies, but I’m not sure how to make that happen. Any help would be greatly appreciated. Thank you!

2. Error messages and/or full log output:

When the backend is down:

{"level":"error","ts":1713028574.890797,"logger":"http.log.error","msg":"readfrom tcp 172.18.0.13:48864->172.18.0.12:8000: http: invalid Read on closed Body","request":{"remote_ip":"10.0.10.1","remote_port":"51773","client_ip":"10.0.10.1","proto":"HTTP/1.1","method":"POST","host":"localhost","uri":"/dev/readiness-probe/","headers":{"User-Agent":["my-k6-user-agent"],"Content-Length":["31"]}},"duration":8.032010087,"status":502,"err_id":"m4he864dc","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

3. Caddy version:

2.7.6-alpine (docker)

4. How I installed and ran Caddy:

Docker compose

a. System environment:

Docker compose (Docker for Mac)

b. Command:

Docker compose

c. Service/unit/compose file:

  web:
    image: caddy:2.7.6-alpine
    container_name: breww-web
    volumes:
      - app:/app
      - ./_build/dev/caddy/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    ports:
      - "80:80"
    depends_on:
      - app
    networks:
      - app-tier

d. My complete Caddy config:

{
	auto_https off
}

:80 {
	root * /app
	encode gzip
	header -Server

	reverse_proxy {
		to app:8000

		lb_retries 8
		lb_policy least_conn
		lb_try_interval 1s  # Enough for KeyDB to have replicated a POST requests response cache
		lb_try_duration 8s  # Keep less than the cache time in IdempotencyMiddleware
		lb_retry_match {
			method "GET" "HEAD" "OPTIONS" "TRACE" "POST" "PUT" "DELETE"
		}

		header_up Host {http.request.host}
		header_up X-Real-IP {http.request.remote.host}
		header_up X-Forwarded-For {http.request.header.x-forwarded-for}
		header_up X-Caddy-Request-ID {http.request.uuid}  # Used by IdempotencyMiddleware to return the original response again without processing it multiple times

		# I've tried adding buffer_requests here, which doesn't break config, but doesn't solve the problem
		# buffer_requests
	}
}

5. Links to relevant resources:

github.com/caddyserver/caddy

Proxy load balancing retry issues

opened 07:15AM - 19 Jul 21 UTC

francislavoie

discussion

There's a few different points to talk about here. --- Firstly -- I've bee…n playing around a bit with `lb_try_duration` and I think this doesn't necessarily always have the desired effect because of when the "duration" starts. The timer for `lb_try_duration` starts right when the [`reverse_proxy` module gets the request](https://github.com/caddyserver/caddy/blob/124ba1ba714220322c65625012c564f89b75bfc9/modules/caddyhttp/reverseproxy/reverseproxy.go#L399). This sounds fine in isolation, but if you consider that errors that might trigger retries might take a while to actually happen (e.g. dial timeout after Caddy's default of 10s -- more on that later) then it becomes hard to configure Caddy to only retry once or twice after a failure. It's probably undesirable to set an `lb_try_duration` of 15 seconds just to make sure the 10 second timeouts are caught and trigger retries. For example, try a config like this: ``` { debug } :7000 { reverse_proxy 10.0.0.255:80 :7001 { lb_policy first lb_try_duration 3s fail_duration 30s } } :7001 { respond "7001" } ``` Assuming `10.0.0.255:80` does not exist, this should trigger a dial timeout (default 10s). Trying it with `curl localhost:7000`, you see it hang for 10 seconds, then in the logs we get `ERROR dial tcp 10.0.0.255:80: i/o timeout`, and no fallback to `:7001` happens. If we increase `lb_try_duration` to `15s` instead, then we get a hang for 10 seconds then a successful fallback to `:7001` _does_ happen, and no error appear in the logs (but a DEBUG level log does appear for the initial error). There's a few different ways I can think of that this could be made better: - Make the try duration timer start from the time the first attempt fails, instead of the beginning of the request. This would mean that the amount of times a retry would happen would be easier to predict. This has some implications though, because not all errors take the same amount of time. If some errors happen fast, you don't want to cause a stampede of stacked retries when you have a busy server, so it would be better to be able to cap the amount of retries (because potentially, a 15s try duration with a 250ms interval has a potential of 15s/0.25s = 60 retries) - Implement a `lb_try_min_times <amount>` option which can complement or replace `lb_try_duration`; a minimum number of times to try to pick an upstream (default 1). If specified alongside `lb_try_duration`, then it should try again even if the duration has elapsed. This would make it possible to make slow errors at least attempt a retry, but still allow capping fast errors with the duration timer. This could still end up leading to long waits for the clients though if each retry take a long time (e.g. 10s for dial timeout, say with `lb_try_min_times 3` would mean a 30s wait if all upstreams are down, at worst). So obviously in these situations, the dial timeout is too long, so... - Reduce the default `http` transport's dial timeout from 10s to maybe 5s or even 2s. I'm sure this might have some implications for some potentially high latency scenarios, but you'd hope not. FWIW, [Envoy](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#tcp) uses a 5s default, [Traefik](https://doc.traefik.io/traefik/routing/services/#forwardingtimeoutsdialtimeout) uses a 30s default, [HAProxy](https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-timeout%20connect) has no default but recommends >3s, with most examples in the docs at 5s. I wouldn't call this a complete solution, but it's "a start". --- As a note, Caddy currently retries all `DialError`, or _any_ error for GET requests by default (any error emitted by Caddy or the stdlib), and _does not_ retry any status code errors received from upstream (if the upstream returned a 502 response of its own or whatever). There is the `retry_match` mechanism (which is lacking Caddyfile support -- could probably be easily implemented) which allows for matching _requests_, but doesn't allow for retrying on specific kinds of responses unless `handle_response` is used which is kinda janky. It would be nice to have support for matching responses that should be retried. HAProxy has some interesting stuff on the topic of retries that we could take inspiration from: https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-retries HAProxy also supports "connect-only" or "connect+tls" active checks -- this would be a nice-to-have for Caddy as well, since they're much lighter weight than actual HTTP health checks. HAProxy defaults to 2s interval for those. --- As an aside, issues https://github.com/caddyserver/caddy/issues/1545 and https://github.com/caddyserver/caddy/issues/4174 are related, e.g. Caddy doesn't use more than the first SRV backend when retrying because there's no state about selection kept for the lifetime of a request which would make it possible to try "lower priority" results of a DNS lookup. --- While investigating this, I noticed that keepalive defaults for the `http` transport only seem to apply [if no transport was configured](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/reverseproxy.go#L204). This seems like a bug; the keepalives should have defaults regardless. This means that if you configure `dial_timeout` to a shorter value like `2s` to work around the issues above, then you lose the keepalives altogether. This should be fixed, but didn't really warrant its own issue, so I'm mentioning it here for now.

Thank you for an amazing package and for your help!

francislavoie · April 13, 2024, 9:38pm

That’s not supported currently, because the entire request body would need to be buffered (buffering with the current implementation is chunked) and that is not done by default. The retry logic would need to be able to have access to the buffer and be able to rewind it before a retry.

Typically, POST retries are unsafe because the point at which the upstream app may have triggered an error may be after having already performed some write operation.

The better thing to do would be to implement retries at the client-side, where fancier logic could be implemented based on the error response.

Remove this stuff, this clobbers Caddy’s default header handling. Let Caddy do the right thing. reverse_proxy (Caddyfile directive) — Caddy Documentation

violuke · April 13, 2024, 9:43pm

Ah ok, thanks.

I appreciate that retrying POSTs is usually unsafe, but we’ve (in theory) implemented protection for this by leveraging header_up X-Caddy-Request-ID {http.request.uuid} to ensure that a cached response will be returned when a duplicate X-Caddy-Request-ID turns up within a short time of the original.

Will do! Not quite sure where they came from, to be honest, probably a bad example file I found online when we first started using Caddy.

francislavoie · April 13, 2024, 9:49pm

It’s probably not impossible to implement, but it’s not been a commonly requested feature so it doesn’t exist yet. If you’re willing to dig into the code, you could take a shot at it.

matt · April 22, 2024, 7:23pm

After investigating to see what it would take to implement this, I found out that the proxy is already capable of this, but I had to patch a bug by changing half a line of code first. Should work now.

github.com/caddyserver/caddy

lb_retries apparently not working

opened 12:46PM - 21 Apr 24 UTC

closed 07:21PM - 22 Apr 24 UTC

gottlike

bug

I'd like to be able to recreate/restart Docker services that are hooked into Cad…dy via `reverse_proxy` without downtime. Usually a (POST) request takes about 10 seconds to complete. My config is super simple: ``` example.com { log { format console output stdout } root * /srv file_server { precompressed br gzip } reverse_proxy /-/proxy1 http://docker_container1:9292 { lb_retries 3 lb_try_interval 1s } reverse_proxy /-/proxy2 http://docker_container2:9292 { lb_retries 3 lb_try_interval 1s } } ``` When running a bunch of requests and restarting the container before the responses were returned, I always get `502` errors, despite the `lb_retries` directive. The error messages look like this: ``` 2024/04/21 12:35:27.404 ERROR http.log.access.log0 handled request {"request": {"remote_ip": "62.153.218.40", "remote_port": "44362", "client_ip": "62.153.218.40", "proto": "HTTP/1.1", "method": "POST", "host": "example.com", "uri": "/-/proxy1", "headers": {"Accept-Encoding": ["gzip, compress, deflate, br"], "Connection": ["keep-alive"], "Accept": ["application/json, text/plain, */*"], "Content-Type": ["application/json"], "User-Agent": ["axios/1.6.7"], "Content-Length": ["67993"]}, "tls": {"resumed": true, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "example.com"}}, "bytes_read": 0, "user_id": "", "duration": 1.014601761, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"], "Alt-Svc": ["h3=\":443\"; ma=2592000"]}} {"level":"error","ts":1713702927.4045582,"logger":"http.log.error.log0","msg":"readfrom tcp 172.18.0.2:34872->172.18.0.3:9292: http: invalid Read on closed Body","request":{"remote_ip":"62.153.218.40","remote_port":"44362","client_ip":"62.153.218.40","proto":"HTTP/1.1","method":"POST","host":"example.com","uri":"/-/proxy1","headers":{"Accept-Encoding":["gzip, compress, deflate, br"],"Connection":["keep-alive"],"Accept":["application/json, text/plain, */*"],"Content-Type":["application/json"],"User-Agent":["axios/1.6.7"],"Content-Length":["67993"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"","server_name":"example.com"}},"duration":1.014601761,"status":502,"err_id":"cr390dupf","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"} ```

Let me know if it’s still not working!