Linux Access Gateway returns 502 'mal-formed request from origin server' error talking to Oracle Application Server

  • 7001819
  • 07-Nov-2008
  • 26-Apr-2012

Environment

Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 4 applied
problem occurs proxy'ing Oracle Application Server 10.1.3.3 and 10.1.3.4
problem does not appear proxy'ing Oracle Application Server 10.1.2.x and older
Oracle Application Server has SSL enabled

Situation

Linux Access Gateway (LAG) configured to proxy multiple back end Web server. Authentication is required when communicating with the proxy resources and all works well for most resources. When communicating with a back end Oracle Application server on Linux running version 10.1.3.x, users would report '502 Bad Gateway' errors on the browser with the message of

'Mal-formed request from origin server'

Turning the DEBUG flag in the /etc/laglogs.conf to 7 and restarting the LAG services, the /var/log/ics_dyn.log file would show that the proxy actually sends the GET request to the back end Web server but the Web server fails to respond. When the back end server fails to respond after 4 retries, the Mal-formed error message would be sent back to the browser. The ics_dyn.log entries would look similar to

Sep 12 10:32:41 lag31dub : AM#504503000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#1: connecting to webserver 204.90.20.163:443 74db37de gotcookie use browser's binding
Sep 12 10:32:41 lag31dub : AM#504515000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#0: Connection Established with peer (205.90.20.163), port(443)
Sep 12 10:32:41 lag31dub : AM#504503000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#2: Establish SSL connection to webserver
Sep 12 10:32:41 lag31dub : AM#504518000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#2804267440: Accept any trusted root from webserver
Sep 12 10:32:41 lag31dub : AM#504503000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#1: Sending request to origin server 205.90.20.163:443 (74db37de.74db37de)
Sep 12 10:32:42 lag31dub : AM#504518000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#2804267440: Connection close received
Sep 12 10:32:42 lag31dub : AM#504503000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#1: totalMsgs:84 msg:66:[Mal-formed reply from origin server. Please try your request again.]
Sep 12 10:32:42 lag31dub : AM#504520000: AMDEVICEID#ag-: AMAUTHID#0: AMEVENTID#1: Browser req/resp[55, 0, 0] [timeToResp:-1 respDuration:-1]    curTime:59 ~ServerRequest [auth:0 acl:0 II:0] [rewrite 0 :0 0 0] [origin: 55, 59, 59,0 retry:4 0]


By enabling the DEBUG_HTTP_HEADERS flag in the laglogs.conf file, we could see the requests being sent by the proxy to the origin server in the /var/log/laghttpheaders and all appeared fine

----------------------------------------------------------------------------------------
Sending request to webserver 205.90.20.163 for browser request '1'
----------------------------------------------------------------------------------------
GET /oracle/ HTTP/1.1
Connection: close
Host: www.neil.com:443
Accept: */*
Accept-Language: en-US,en-IE;q=0.5
Ua-Cpu: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Cookie: novell_language=en-us
Pragma: no-cache
Via: 1.1 lag129.lab.novell.com (Access Gateway 3.1.0-157)


Forcing HTTP 1.0 to origin server made no difference. Changing the SSL handshake from TLS to SSL made no difference. Using curl to simulate the exact same request from the LAG console actually worked fine:

mydelllag:~ # curl --silent --request GET --header "Connection: close" --header"Host: www.neil.com:443" --header "Accept: */*" --header"Accept-Language: en-US,en-IE;q=0.5" --header "Ua-Cpu: x86" --header"Accept-Encoding: gzip, deflate" --header "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" --header "Cookie: novell_language=en-us" --header "Via: 1.1 lag129.lab.novell.com (Access Gateway 3.1.0-157)" https://www.neil.com/redirect.html

and I see the response come back ...

<html>
<body>
<p><a href="https://www.neil.com">www.neil.com</a>
</body>
</html>

Resolution

Applied update to Oracle Application server on Linux for platforms 10.1.3.3 and 10.1.3.4