Suppose FortiADC responds with 400 Bad Request responses for HTTP requests (even when they appear to be correctly formatted) in Layer 7 HTTP/HTTPS virtual servers. In that case, it may be due to the overall size of the headers exceeding the buffer limits set in the HTTP/HTTPS application profile. This article will explore the default HTTP application profile 'LB_PROF_HTTP' as an example.

config load-balance profile

    edit "LB_PROF_HTTP"

        set type http

        set tune-bufsize 8030   <--

        set tune-maxrewrite 1024  <--

        set client-timeout 50

        set server-timeout 50

        set connect-timeout 5

        set queue-timeout 5

        set http-send-timeout 0

        set http-request-timeout 50

        set http-keepalive-timeout 50

        set buffer-pool enable

        set client-address disable

        set http-x-forwarded-for disable

        unset http-x-forwarded-for-header

        set http-mode KeepAlive

        set modify-host-on-nonstandard-rs-port disable

        unset compression

        unset decompression

        unset caching

        set ip-reputation disable

        unset geoip-list

        unset allowlist

        unset http2-profile

        set geoip-redirect http://

        set max-http-headers 100

        set response-half-closed-request disable

        next

end

In this profile, the 'tune-bufsize' is set to 8030 bytes, and 'tune-maxrewrite' is configured as 1024 bytes. These values are used for handling HTTP request headers.

• 'tune-bufsize' specifies the buffer size for handling HTTP requests.
• 'tune-maxrewrite' reserves a portion of the buffer for modifying or inserting HTTP headers.
  
  

In this particular configuration, 1024 bytes out of the 8030 bytes set as 'tune-bufsize' are reserved for header manipulation(adding or modifying headers). This leaves approximately 7006 bytes for buffering HTTP headers within the HTTP request. If an incoming HTTP request contains headers that collectively exceed the available buffer space (7006 bytes), the request will be dropped and the FortiADC will respond with an error 400 'Bad Request' status code.

It is important to examine the total size of headers in situations where HTTP requests are dropped and FortiADC responds with the 400 'Bad Request' response code, even if they do not exceed the 'tune-bufsize' value but do fall within the range of 'tune-bufsize' - 'tune-maxrewrite'.

If the collective size of the headers in the HTTP request exceeds the available buffer space reserved for the headers, this is considered expected behavior. To address this, increase the 'tune-bufsize' value in the application profile to accommodate larger header sizes.

Curl commands can also be used to send traffic directly to the backend server using FortiADC as the client, using the same format as the client,t and checking whether the same issue will occur or not using the command below:

execute curl <test URL to the backend server>

Example: 

execute curl -vk https://10.10.10.10/login

For the steps to obtain the curl command format with all the required headers from the browser, refer to this article: Technical Tip: How to use browsers to obtain curl commands for testing.