A 502 Bad Gateway error occurs when you are using Anti-DDoS Advanced, as shown below:
The following figure shows how the application traffic flows.
After you connect to Anti-DDoS Advanced, the instance IP sends received access requests to the real server using the forwarding IP instead of client IP and thus the real server IP becomes invisible to the client. However, the number of forwarding IPs is insufficient to handle volumes of access requests.
If the real server is configured with protection policies, it is possible to trigger corresponding policies to limit the rate of the forwarding IP and even block it.
Possible reasons:
The poor public network quality affects the stability of application access and a 502 error is returned.
Check whether the access of real server and Anti-DDoS Advanced instance is normal.
If only the real server works normally, the access of Anti-DDoS Advanced instance is blocked by the real server or is rate-limited. We recommend adding the instance to your allowlist.
For more details, see Instructions for cause 1.
Modify the local host resolution result to the real server to check whether the real server works normally. Firstly, edit the hosts file and ensure that the hosts binding has taken effect. Then connect to your domain name to check whether the real server can be accessed normally. If the access fails, perform the following steps:
For more details, see Instructions for cause 2.
Check whether there is a linkage failure and contact the network service provider for repair.
For more details, see Instructions for cause 3.
Accept the Anti-DDoS Advanced forwarding IP range to access the firewall and host security software. The following takes the firewall of CentOS 6.5 as an example.
service iptables status
If there are no rules displayed for Chain INPUT, Chain FORWARD and Chain OUTPUT in the console, the firewall is not yet enabled.cat /etc/sysconfig/iptables
Make sure that you have completed the blocklist and allowlist configuration before you enable the firewall.service iptables start
service iptables status
If there are rules displayed for Chain INPUT, Chain FORWARD and Chain OUTPUT in the console, the firewall is enabled successfully.Iptables -A INPUT -s Forwarding IP -j ACCEPT
iptables -nL --line-number
The allowlist is added if there are firewall rules in the output.service iptables save
service iptables restart
Modify the local host resolution result to the real server to check whether the real server is normal. Firstly, modify the local hosts file. The specific operations are as follows:
hosts
file in C:\Windows\System32\drivers\etc
For example, if the real server IP is 10.1.1.1
and the domain name is www.qqq.com
, add:
Save the hosts file. Run the ping command on the protected domain name in the local computer.
When the resolved IP address is the real server IP address bound in the hosts file, the local hosts file is valid. If the real server IP is not resolved, run ipconfig /flushdns
in the Windows Command Prompt to refresh the local DNS cache.
2. After the binding has taken effect, check whether the access of the real server is normal using the domain name. If it cannot be accessed normally, the following measures can be taken.
Check whether the real server has a significant increase in the traffic and request volume, and the monitoring data from the Anti-DDoS Advanced console. The following describes how to check the real server traffic volume when the OS is CentOS.
Run the command `iftop [-i interface]`. The parameter "interface" indicates the API name, such as eth0 and eth1.
The output is as follows:=>
means sending data and <=
means receiving data.TX
stands for sending traffic, RX
for receiving traffic, and TOTAL
for total traffic.cumm
stands for the total traffic in the first column.peak
stands for peak traffic in the first column.rates
stands for the average traffic for each period of 2 seconds, 10 seconds, and 40 seconds.You can check whether the data center has physical hardware failures, such as failures with power, network card, drive, memory, and wiring.
Check the related monitoring of the origin server, CPU usage, memory usage, and bandwidth usage.
Note:
- Normally, if the usage of CPU or memory exceeds 90% for a long time, the web service is in abnormal status.
- Bandwidth usage needs to be compared with the business process occupancy during normal business periods and check if there is a significant increase. For more details, see CVM Bandwidth Utilization Is Too High.
If there is an exception, please contact technical support for further troubleshooting.
Self-check the web program status. Run the ps -C nginx -o pid
command to check whether the server's nginx process is running normally.
If there is an exception, please contact technical support for further troubleshooting.
Run a self-check on the linkage quality, linkage connectivity, and forwarding status of intermediate network equipment between the public network and the real server.
Check and monitor the public network quality of real server and the Anti-DDoS Advanced instance using the Tencent Cloud website monitoring platform.
If the public network is not working well, contact the service provider for assistance.
Was this page helpful?