This topic describes the common causes of and solutions to 502 errors on websites protected by Anti-DDoS Pro or Anti-DDoS Premium.

Back-to-origin IP addresses of an Anti-DDoS Pro or Anti-DDoS Premium instance are blocked or subject to throttling

Cause:

If you configure an Anti-DDoS Pro or Anti-DDoS Premium instance, the instance serves as a proxy between the client and the origin server and masks the IP address of the origin server.

The client sends requests to the Anti-DDoS Pro or Anti-DDoS Premium instance. The instance receives the requests and then sends the requests to the origin server. This way, the origin server processes all requests from the back-to-origin IP address of the instance. The IP address of the client is passed in the X-Forwarded-For field of the HTTP header. If the IP address of the origin server is exposed, the client can bypass the Anti-DDoS Pro or Anti-DDoS Premium instance and access the origin server.

If you do not configure an Anti-DDoS Pro or Anti-DDoS Premium instance, the origin server receives requests from IP addresses of multiple clients. The IP addresses are distinct and dynamic. If no attacks are launched against your services, each source IP address sends a small number of requests. After you configure an Anti-DDoS Pro or Anti-DDoS Premium instance, the origin server receives all requests from a limited number of fixed back-to-origin CIDR blocks. Each back-to-origin IP address forwards a larger number of requests than the client. As a result, the back-to-origin IP addresses may be regarded as malicious. If DDoS mitigation policies are configured on the origin server, the back-to-origin IP addresses may be blocked or subject to throttling.

Solution:

You only need to allow the back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance on the origin server. You can use one of the following methods to achieve the purpose:
  • Obtain the back-to-origin CIDR blocks of the Anti-DDoS Pro or Anti-DDoS Premium instance and add them to a whitelist of the firewall or security software, such as Fortinet, on the origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
  • Disable the firewall and security software on the origin server.

Origin server exceptions occur and the response from the origin server times out

Common origin server exceptions include:
  • The IP address of the origin server is exposed and attacked. This causes the origin server to stop responding.
  • Failures occur in the data center where the origin server resides.
  • Website services, such as Apache and NGINX, on the origin server are abnormal.
  • High memory usage or high CPU utilization on the origin server causes a sharp decrease in performance.
  • The uplinks of the origin server are congested.

Problem identification:

Modify the local hosts file to redirect the domain name to the IP address of the origin server. When you ping the IP address of the origin server, 502 errors are caused by the origin server exceptions. This applies if you cannot access the domain name by using the IP address of the origin server and packet loss and Telnet connection timeout occur.

Solution:

  1. Check whether a sharp increase in requests and traffic occurs on the origin server and view the request and traffic statistics in the Anti-DDoS Pro console. Attackers may bypass the Anti-DDoS Pro or Anti-DDoS Premium instance and attack the origin server. This can occur if the origin server is under volumetric attacks but the Anti-DDoS Pro or Anti-DDoS Premium console shows no exceptions. In this case, we recommend that you change the IP address of the origin server at your earliest convenience. For more information, see Change ECS IP.
  2. If 502 errors are not caused by attacks, check the process status, CPU utilization, and memory usage of the origin server, and bandwidth usage of the data center. If exceptions occur, we recommend that you contact the server technical support or data center personnel to help you fix the exceptions.
  3. If 502 errors occur on a small number of clients, we recommend that you submit a ticket attached with the IP addresses of the clients and the time of error occurrence. The after-sales technical support is available to help you fix the issue.

Network congestion or jitter occurs

Apart from the preceding two causes, occasional local network jitter and line failures may also cause 502 errors. You can submit a ticket to report this issue. The after-sales technical support provides the link quality monitoring information.