Technical Tip: Resolve '502 Bad Gateway' error during FortiWeb-OCI server policy deployment

shafiq23 · ‎08-27-2024

Description

This article describes how to resolve the '502 Bad Gateway' error accessing the website via FortiWeb-OCI server policy deployment with OCI-LB upstream.

Scope

FortiWeb-OCI.

Solution

Topology:
Client -> OCI-LB -> FortiWeb -> Web Server.

Depending on the load balancer type used in OCI, usually, the LB is assigned with public IP and performs DNAT for traffic destined for FortiWeb VIP.

Typically, FortiWeb VIP is configured in backend sets configuration and the service port is HTTPS(443) parallel to FortiWeb server policy listening to service port 443(HTTPS).

Sample error while accessing the website through OCI-LB -> FortiWeb with backend set misconfiguration.

Example of FortiWeb server policy only listening to HTTPS service port 443.

Tips to verify:

Packet capture in FortiWeb.

Sample traffic of ‘Use SSL’ disabled in OCI backend set configuration.

Unencrypted HTTP protocol detected over the encrypted port.
RST packet sent by FortiWeb VIP.

Resolve the '502 Bad Gateway' error by enabling ‘Use SSL’ in OCI LB backend set configuration.

GoToMeeting 019.png

Note: Bad backend health status in OCI might also cause a ‘502 Bad Gateway’ error.

Decrypting encrypted traffic in the FortiWeb administration guide:
Decrypting TLS 1.2/1.1/1.0 Traffic
Decrypting TLS 1.3 Traffic

Technical Tip: Resolve '502 Bad Gateway' error during FortiWeb-OCI server policy deployment

You are leaving our website