Problem description

When I access my website that is protected by an Anti-DDoS Pro or Anti-DDoS Premium instance, 502 errors are returned.

Causes

After you add your website to the Anti-DDoS Pro or Anti-DDoS Premium instance, the instance is used as a proxy to process requests. If the instance receives invalid responses from the origin server, 502 errors are returned. The 502 errors indicate that a connection issue exists between the instance and the origin server. After you switch service traffic to the instance, the instance scrubs the traffic and uses back-to-origin IP addresses to forward the traffic to the origin server. If the back-to-origin IP addresses are not added to the whitelist of your firewall, the traffic from the instance may be blocked. This results in a failure to access your website. This issue occurs because of one of the following reasons:

Solutions

Back-to-origin IP addresses of the instance is blocked or is subject to throttling

You need to only allow the back-to-origin IP addresses of the instance on the origin server. You can use one of the following methods to allow the back-to-origin IP addresses of the instance on the origin server:
  • Obtain the back-to-origin CIDR blocks of Anti-DDoS Pro or Anti-DDoS Premium and add the CIDR blocks to the whitelist of your firewall or security software, such as Safedog, on the origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
    Note To use Anti-DDoS Pro or Anti-DDoS Premium to protect your website, we recommend that you add the back-to-origin IP addresses to the whitelist of the origin server. This ensures that the traffic from an Anti-DDoS Pro or Anti-DDoS Premium instance is not blocked by security software on your origin server.
  • Disable the firewall and security software on the origin server.

Origin server exceptions occur

When an origin server exception occurs, the request from the instance to the origin server times out. Origin server exceptions include the following types:
  • The IP address of the origin server is exposed and attacked. This causes the origin server to stop responding.
  • Failures occur in the data center where the origin server resides.
  • Website services, such as Apache and NGINX, on the origin server do not run as expected.
  • High memory usage or high CPU utilization on the origin server causes a sudden decrease in performance.
  • The uplinks of the origin server are congested.
You can use the following methods to troubleshoot the issue:
  1. Modify the local hosts file to resolve the domain name of your website to the IP address of the origin server.
    • If you cannot access the domain name by using the IP address of the origin server and packet loss or connection timeout occurs, the issue is caused by origin server exceptions. You can troubleshoot the origin server exceptions and further troubleshoot the issue.
      • Ping the IP address of the origin server and check whether packet loss occurs.
      • Run the telnet command to test port connectivity and check whether connection timeout occurs.
    • If you can access the domain name by using the IP address of the origin server, check whether the configurations of the instance are correct.
  2. Check whether a sudden increase in requests and traffic occurs on the origin server and view the request and traffic statistics in the Anti-DDoS Pro console. If the origin server is under volumetric attacks but the Anti-DDoS Pro or Anti-DDoS Premium console does not display exceptions, attackers may bypass the instance and attack the origin server. In this case, the IP address of the origin server may be exposed and attacked. This causes the origin server to stop responding. We recommend that you change the IP address of the origin server at the earliest opportunity. For more information, see Change the public IP address of an ECS origin server.
    Note
    • In normal cases, the client sends requests to the Anti-DDoS Pro or Anti-DDoS Premium instance. The instance receives the requests and then sends the requests to the origin server. This way, the origin server processes all requests from the back-to-origin IP address of the instance. The IP address of the client is passed in the X-Forwarded-For field of the HTTP header.
    • If the IP address of the origin server is exposed, the client can bypass the instance and access the origin server.
  3. If the issue is not caused by attacks, check the process status, CPU utilization, and memory usage of the origin server, and check the bandwidth usage of the data center. If exceptions occur, we recommend that you troubleshoot the exceptions based on actual business conditions.

Network congestion or jitter occurs

Apart from the preceding causes, occasional local network jitter and line failures may also cause 502 errors.

References

Applicable scope

Anti-DDoS Pro and Anti-DDoS Premium

If the issue persists, you can log on to Alibaba Cloud Community for free consultation. For more information, see Free consultation.