github.com/projectcontour/contour@v1.28.2/site/content/docs/main/troubleshooting/common-proxy-errors.md (about) 1 # Troubleshooting Common Proxy Errors 2 3 ## Unexpected HTTP errors 4 5 Here are some steps to take in investigating common HTTP errors that users may encounter. 6 We'll include example error cases to debug with these steps. 7 8 1. Inspect the HTTP response in detail (possibly via `curl -v`). 9 10 Here we're looking to validate if the error response is coming from the backend app, Envoy, or possibly another proxy in front of Envoy. 11 If the response has the `server: envoy` header set, the request at least made it to the Envoy proxy so we can likely rule out anything before it. 12 The error may originate from Envoy itself or the backend app. 13 Look for headers or a response body that may originate from the backend app to verify if the error is in fact just the intended app behavior. 14 In the example below, we can see the response looks like it originates from Envoy, based on the `server: envoy` header and response body string. 15 16 ``` 17 curl -vvv example.projectcontour.io 18 ... 19 > GET / HTTP/1.1 20 > Host: example.projectcontour.io 21 ... 22 > 23 < HTTP/1.1 503 Service Unavailable 24 < content-length: 91 25 < content-type: text/plain 26 < vary: Accept-Encoding 27 < date: Tue, 06 Feb 2024 03:44:30 GMT 28 < server: envoy 29 < 30 * Connection #0 to host example.projectcontour.io left intact 31 upstream connect error or disconnect/reset before headers. reset reason: connection failure 32 ``` 33 34 1. Look at the Envoy pod logs for the access logs corresponding to the erroring request/response. 35 36 The exact fields/field ordering present in the access log may vary if you have [configured a custom access log string or JSON access logs][0]. 37 For example for a Contour installation using the [default Envoy access log format][1] we would want to inspect: 38 * `%REQ(:METHOD)%`, `%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%`, `%REQ(:AUTHORITY)%`, `%PROTOCOL%`: Ensure these are sensible values based on your configured route and HTTP request 39 * `%RESPONSE_FLAGS%`: See the [documentation on Envoy response flags][2] and below how to interpret a few of them in a Contour context: 40 * `UF`: Likely that Envoy could not connect to the upstream 41 * `UH`: Upstream Service has no health/ready pods 42 * `NR`: No configured route matching the request 43 * `%DURATION%`: Can correlate this with any configured timeouts 44 * `%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%`: Can correlate this with any configured timeouts. If `-` then this is a hint the request was never forwarded to the upstream. 45 * `%UPSTREAM_HOST%`: This is the IP of the upstream pod that was selected to proxy the request to and can be used to verify the exact upstream instance that might be erroring. 46 47 For example in this access log: 48 49 ``` 50 [2024-02-06T15:18:17.437Z] "GET / HTTP/1.1" 503 UF 0 91 1998 - "103.67.2.26" "curl/8.4.0" "d70640ec-2feb-46f8-9f63-24c44142c42e" "example.projectcontour.io" "10.244.8.27:8080" 51 ``` 52 53 We can see the `UF` response flag as the cause of the `503` response code. 54 We also see the `-` for upstream request time. 55 It is likely in this case that Envoy was not able to establish a connection to the upstream. 56 That is further supported by the request duration of `1998` which is approximately the default upstream connection timeout of `2s`. 57 58 1. Inspect Envoy metrics 59 60 This method of debugging can be useful especially for deployments that service a large volume of traffic. 61 In this case, access logs are possibly not suitable to use, as the volume of logs may be too large to pinpoint an exact erroring request. 62 63 Metrics from individual Envoy instances can be viewed manually or scraped using Envoy's prometheus endpoints and graphed using common visualization tools. 64 See the `/stats/prometheus` endpoint of the [Envoy admin interface][3]. 65 66 Metrics that may be useful to inspect: 67 * [Listener metrics][4] 68 * `downstream_cx_total` 69 * `ssl.connection_error` 70 * [HTTP metrics][5] 71 * `downstream_cx_total` 72 * `downstream_cx_protocol_error` 73 * `downstream_rq_total` 74 * `downstream_rq_rx_reset` 75 * `downstream_rq_tx_reset` 76 * `downstream_rq_timeout` 77 * `downstream_rq_5xx` (and other status code groups) 78 * [Upstream metrics][6] 79 * `upstream_cx_total` 80 * `upstream_cx_connect_fail` 81 * `upstream_cx_connect_timeout` 82 * `upstream_rq_total` 83 * `upstream_rq_timeout` 84 85 1. Send a direct request to the backend app to narrow down where the error may be originating. 86 87 This can be done via a port-forward to send a request to the app directly, skipping over the Envoy proxy. 88 If this sort of request succeeds, we know the issue likely originates from Contour configuration or the Envoy proxy rather than the app itself. 89 90 [0]: /docs/{{< param latest_version >}}/config/access-logging/ 91 [1]: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#default-format-string 92 [2]: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-response-flags 93 [3]: /docs/{{< param latest_version >}}/guides/prometheus/#envoy-metrics 94 [4]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/stats 95 [5]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/stats 96 [6]: https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats