:What should I do if my website protected by an Anti-DDoS Proxy instance returns 502 errors?

Possible cause 1: Back-to-origin IP addresses of the instance are blocked or subject to throttling

After you route service traffic through the instance, it scrubs the traffic and uses back-to-origin IP addresses to forward clean traffic to the origin server. If these back-to-origin IP addresses are not added to your firewall's whitelist, traffic from the instance may be blocked, resulting in website access failure.

Obtain the back-to-origin CIDR blocks of Anti-DDoS Proxy and add them to the whitelist of your firewall or security software on the origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.

Possible cause 2: Origin server exceptions occur

When an origin server exception occurs, requests from the instance to the origin server time out. Origin server exceptions include the following:

• The origin server IP address is exposed and attacked, causing the server to stop responding.

• Failures in the data center where the origin server resides.

• Website services on the origin server, such as Apache and NGINX, not running properly.

• High memory usage or CPU utilization on the origin server causing performance degradation.

• Congested uplinks on the origin server.

You can troubleshoot using these methods:

1. Modify your local hosts file to resolve your website's domain name directly to the origin server IP address, bypassing the Anti-DDoS instance to verify if the origin server is available.

   Test result	Description
   Failed to access the origin server IP address	The issue is with the origin server itself. Check the following: Check network connectivity: Refer to Analyze network links using the MTR tool to verify if the network link from your local device to the origin server IP address is functioning properly. Check port connectivity: Use the telnet command to test port connectivity and verify if the service port is enabled on the origin server.
   Successfully accessed the origin server IP address	Verify if there is an abnormal configuration in the Anti-DDoS Proxy instance.

2. Check whether there is a sudden increase in requests and traffic on the origin server to determine if the origin server IP address is exposed to DDoS attacks.

   Compare with the monitoring data in the Anti-DDoS Proxy console. If the origin server is experiencing volumetric DDoS attacks but the console shows no exceptions, attackers might be bypassing the instance and attacking the origin server directly. The origin server IP address may be exposed. We recommend that you change the static public IP address.

   Note

   • In normal cases, clients send requests to the Anti-DDoS Proxy instance. The instance receives these requests and forwards them to the origin server. This way, the origin server processes all requests from the back-to-origin IP addresses of the instance. The client IP address is passed in the X-Forwarded-For field of the HTTP header.

   • If the origin server IP address is exposed, clients can bypass the instance and access the origin server directly.

3. Check the CPU and memory usage, bandwidth monitoring, and service process status on the origin server. If exceptions are found, we recommend troubleshooting based on your needs.

Possible cause 3: Connection timeout configuration issues

The idle connection timeout settings between the Anti-DDoS Proxy and the origin server do not match. If the timeout on the origin server is shorter than that on the Anti-DDoS instance, the origin server will close the connection first while the Anti-DDoS instance still considers it valid, leading to 502 errors for subsequent requests.

To resolve this, adjust the idle connection timeout duration so that it is greater than or equal to the setting on the Anti-DDoS Proxy instance.

Possible cause 4: Network congestion or jitter

Beyond the causes mentioned above, occasional local network jitter and carrier line failures may also result in 502 errors.