Name of HTTP response header is too large. HTTP "502" response from proxy.

book

Article ID: 166733

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The full exception response is:

 

Response Error
[invalid_response]

Server's response could not be processed. Name of HTTP response header is too large
This could be caused by a malformed response, or possibly a misconfiguration.

connection: service.name=HTTPS client.address=192.168.XX.X proxy.port=443 client.interface=1:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2019-08-23 17:34:25 UTC
GET https://mywebsite.maindomain.com/Account/LogOn?ticket=SAMPLE-KJjhx3xJ82kx8cXSKlcs9xs
  DNS lookup was unrestricted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
user: name="DOMAIN\user_account" realm=AUTH_REALM_NAME_IWA
authentication status='none' authorization status='none'
EXCEPTION(invalid_response): Total length of HTTP response headers exceeded configured limit
  Last Error: Unexpected transaction termination on URL(https://mywebsite.maindomain.com/Account/LogOn?ticket=SAMPLE-KJjhx3xJ82kx8cXSKlcs9xs), client IP(192.168.XX.X), server IP(27.4.X.X): Total length of HTTP response headers exceeded configured limit (100000)
  url.category: [email protected];[email protected];[email protected];[email protected] Coat
    total categorization time: 7
    static categorization time: 7
  server.certficate.hostname.category: [email protected];[email protected];[email protected];[email protected] Coat
    total categorization time: 1
    static categorization time: 1
server.response.code: 301
client.response.code: 502

application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65

Resolution

The problem here is that the server was sending a response with an individual header name greater than 8kb. This would mean it would not fit in one block. This is hard coded and cannot be changed.

To verify this take a developer tool trace in the browser, save it as a .har file and using application of your choice open it.  Look over the request causing the issue which received the 502.