Problem description
When I access my website that is protected by an Anti-DDoS Pro or Anti-DDoS Premium instance, 502 errors are returned.
Causes
After you add your website to the Anti-DDoS Pro or Anti-DDoS Premium instance, the
instance is used as a proxy to process requests. If the instance receives invalid
responses from the origin server, 502 errors are returned. The 502 errors indicate
that a connection issue exists between the instance and the origin server. After you
switch service traffic to the instance, the instance scrubs the traffic and uses back-to-origin
IP addresses to forward the traffic to the origin server. If the back-to-origin IP
addresses are not added to the whitelist of your firewall, the traffic from the instance
may be blocked. This results in a failure to access your website. This issue occurs
because of one of the following reasons:
Solutions
Back-to-origin IP addresses of the instance is blocked or is subject to throttling
You need to only allow the back-to-origin IP addresses of the instance on the origin
server. You can use one of the following methods to allow the back-to-origin IP addresses
of the instance on the origin server:
- Obtain the back-to-origin CIDR blocks of Anti-DDoS Pro or Anti-DDoS Premium and add
the CIDR blocks to the whitelist of your firewall or security software, such as Safedog,
on the origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Note To use Anti-DDoS Pro or Anti-DDoS Premium to protect your website, we recommend that you add the back-to-origin IP addresses to the whitelist of the origin server. This ensures that the traffic from an Anti-DDoS Pro or Anti-DDoS Premium instance is not blocked by security software on your origin server.
- Disable the firewall and security software on the origin server.
Origin server exceptions occur
When an origin server exception occurs, the request from the instance to the origin
server times out. Origin server exceptions include the following types:
- The IP address of the origin server is exposed and attacked. This causes the origin server to stop responding.
- Failures occur in the data center where the origin server resides.
- Website services, such as Apache and NGINX, on the origin server do not run as expected.
- High memory usage or high CPU utilization on the origin server causes a sudden decrease in performance.
- The uplinks of the origin server are congested.
You can use the following methods to troubleshoot the issue:
- Modify the local
hosts
file to resolve the domain name of your website to the IP address of the origin server.- If you cannot access the domain name by using the IP address of the origin server
and packet loss or connection timeout occurs, the issue is caused by origin server
exceptions. You can troubleshoot the origin server exceptions and further troubleshoot
the issue.
- Ping the IP address of the origin server and check whether packet loss occurs.
- Run the
telnet
command to test port connectivity and check whether connection timeout occurs.
- If you can access the domain name by using the IP address of the origin server, check whether the configurations of the instance are correct.
- If you cannot access the domain name by using the IP address of the origin server
and packet loss or connection timeout occurs, the issue is caused by origin server
exceptions. You can troubleshoot the origin server exceptions and further troubleshoot
the issue.
- Check whether a sudden increase in requests and traffic occurs on the origin server
and view the request and traffic statistics in the Anti-DDoS Pro console. If the origin server is under volumetric attacks but the Anti-DDoS Pro or Anti-DDoS
Premium console does not display exceptions, attackers may bypass the instance and
attack the origin server. In this case, the IP address of the origin server may be
exposed and attacked. This causes the origin server to stop responding. We recommend
that you change the IP address of the origin server at the earliest opportunity. For
more information, see Change the public IP address of an ECS origin server.
Note
- In normal cases, the client sends requests to the Anti-DDoS Pro or Anti-DDoS Premium instance. The instance receives the requests and then sends the requests to the origin server. This way, the origin server processes all requests from the back-to-origin IP address of the instance. The IP address of the client is passed in the X-Forwarded-For field of the HTTP header.
- If the IP address of the origin server is exposed, the client can bypass the instance and access the origin server.
- If the issue is not caused by attacks, check the process status, CPU utilization, and memory usage of the origin server, and check the bandwidth usage of the data center. If exceptions occur, we recommend that you troubleshoot the exceptions based on actual business conditions.
Network congestion or jitter occurs
Apart from the preceding causes, occasional local network jitter and line failures may also cause 502 errors.
References
Applicable scope
Anti-DDoS Pro and Anti-DDoS Premium
If the issue persists, you can log on to Alibaba Cloud Community for free consultation. For more information, see Free consultation.