Problem description

After you configure Anti-DDoS Pro or Anti-DDoS Premium, a 502 error message appears when you access the website.

Cause

When Anti-DDoS Premium attempts to execute a request as a proxy server, an invalid response is received from the upstream server, resulting in a 502 error. Therefore, there is a problem with the connection between Anti-DDoS Pro and the origin. After the website service is switched over, the normal access traffic of the website is scrubbed by the Anti-DDoS Pro or Anti-DDoS Premium instance and forwarded to the origin server by the back-to-origin IP address of Anti-DDoS Premium. If the back-to-origin IP addresses are not in the whitelist on your firewall, the traffic from Anti-DDoS Pro or Anti-DDoS Premium may be blocked. This results in a failure to access your website. According to the analysis, the possible causes of the error are as follows:

Solutions

Back-to-origin IP addresses of an Anti-DDoS Pro or Anti-DDoS Premium instance are blocked or subject to throttling

All back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium are allowed on the origin site to resolve 502 errors. You can set back-to-origin IP addresses of Anti-DDoS Pro in the following two ways:
  • see release DDoS anti-ddos pro back-to-source IP get DDoS high-security of back-to-source IP cidr block, and your source origin's firewall, host security protection software (such as security dog) back-to-source IP segment add ecs security group whitelist takes effect immediately.
    Note: When you enable Anti-DDoS Pro or Anti-DDoS Pro for your website, we recommend that you allow Anti-DDoS Pro or Anti-DDoS Pro or Anti-DDoS Premium to prevent back-to-origin traffic from being blocked by security software on the origin server.
  • Disable the firewall and security software on the origin server.

An exception occurred on the origin site itself.

If an exception occurs on the origin server itself, the request that responds to Anti-DDoS Premium times out. The origin server exception includes the following conditions:

  • The IP address of the origin server is exposed and attacked. This causes the origin server to stop responding.
  • Failures occur in the data center where the origin server resides.
  • Website services, such as Apache and NGINX, on the origin server are abnormal.
  • High memory usage or high CPU utilization on the origin server causes a sharp decrease in performance.
  • The uplinks of the origin server are congested.

You can use the following methods to troubleshoot and handle the problem:

  1. Modify the local hosts file to direct the domain name to the origin IP address.
    • If you cannot access the origin server directly through the origin IP address, perform the following operations. If packet loss or timeout occurs, you can determine that the origin server has an exception. Fix the exception based on the actual situation of the origin server and proceed to the next step for troubleshooting.
    • If access through origin IP address is normal, check whether Anti-DDoS Pro or Anti-DDoS Premium is abnormal.
  2. Check whether the traffic and requests from the origin server have increased significantly. Compare the monitoring data in the Anti-DDoS Pro console. Attackers may bypass the Anti-DDoS Pro or Anti-DDoS Premium instance and attack the origin server. This can occur if the origin server is under volumetric attacks but the Anti-DDoS Pro or Anti-DDoS Premium console shows no exceptions. In this case, the origin IP address may be exposed and paralyzed by malicious attacks. We recommend that you replace the origin IP address as soon as possible. For more information, see Change the public IP address of an ECS instance.
    Note:
    • The client sends requests to the Anti-DDoS Pro or Anti-DDoS Premium instance. The instance receives the requests and then sends the requests to the origin server. This way, the origin server processes all requests from the back-to-origin IP address of the instance. The IP address of the client is passed in the X-Forwarded-For field of the HTTP header.
    • If the origin IP address is exposed, the client can directly request to access the origin server. This bypasses the protection provided by Anti-DDoS Pro or Anti-DDoS Premium.

  3. After removing the cause of the attack, you can view the CPU and memory usage, bandwidth monitoring, and process status of services on the origin server. If there is an exception, repair it according to the actual exception on site.
  4. If an 502 error occurs on an individual client, we recommend that you collect the IP address of the client and the time when the exception occurs, and submit a ticket. Alibaba Cloud technical support will compare the relevant logs to assist you in troubleshooting.

Network congestion or jitter occurs.

After the above two reasons have been eliminated, accidental local network jitter, operator line failure and other factors may also cause 502 errors. You can submit a ticket to provide information about link quality monitoring.

 

References

Applicable scope

  • Anti-DDoS Pro/Premium