Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
ddsouza_FTNT
Staff
Staff

Created on ‎10-31-2023 07:46 AM Edited on ‎11-02-2023 02:26 AM By Moderator

Article Id 282136

Troubleshooting Tip: Understanding and resolving error 400 'Bad Request' responses in Layer 7 HTTP/HTTPS virtual servers

Description

 

This article describes the factors that can trigger a 400 Bad Request response in Layer 7 HTTP/HTTPS Virtual Servers on FortiADC and learns how to identify and resolve this issue by adjusting the application profile settings.

 

Scope

 

FortiADC.

 

Solution

 

If FortiADC responds with 400 Bad Request responses for HTTP requests (even when they appear to be correctly formatted) in Layer 7 HTTP/HTTPS virtual servers, it may be due to the overall headers' size exceeding the buffer limits set in the HTTP/HTTPS application profile. This article will explore the default HTTP application profile 'LB_PROF_HTTP' as an example.

 

config load-balance profile

    edit "LB_PROF_HTTP"

        set type http

        set tune-bufsize 8030   <--

        set tune-maxrewrite 1024  <--

        set client-timeout 50

        set server-timeout 50

        set connect-timeout 5

        set queue-timeout 5

        set http-send-timeout 0

        set http-request-timeout 50

        set http-keepalive-timeout 50

        set buffer-pool enable

        set client-address disable

        set http-x-forwarded-for disable

        unset http-x-forwarded-for-header

        set http-mode KeepAlive

        set modify-host-on-nonstandard-rs-port disable

        unset compression

        unset decompression

        unset caching

        set ip-reputation disable

        unset geoip-list

        unset allowlist

        unset http2-profile

        set geoip-redirect http://

        set max-http-headers 100

        set response-half-closed-request disable

        next

end

 

In this profile, the 'tune-bufsize' is set to 8030 bytes, and 'tune-maxrewrite' is configured as 1024 bytes. These values are used for handling HTTP request headers.

  • 'tune-bufsize' specifies the buffer size for handling HTTP requests.
  • 'tune-maxrewrite' reserves a portion of the buffer for modifying or inserting HTTP headers.

In this particular configuration, 1024 bytes out of the 8030 bytes set as 'tune-bufsize' are reserved for header manipulation(adding or modifying headers). This leaves approximately 7006 bytes for buffering HTTP headers within the HTTP request. If an incoming HTTP request contains headers that collectively exceed the available buffer space (7006 bytes), the request will be dropped and the FortiADC will respond with an error 400 'Bad Request' status code.

 

It is important to examine the total size of headers in situations where HTTP requests are dropped and FortiADC responds with the 400 'Bad Request' response code, even if they do not exceed the 'tune-bufsize' value but do fall within the range of 'tune-bufsize' - 'tune-maxrewrite'.

 

If the collective size of the headers in the HTTP request exceeds the available buffer space reserved for the headers, this is considered expected behavior. To address this, increase the 'tune-bufsize' value in the application profile to accommodate larger header sizes.

Labels:
793
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.