HAProxy 2.4.19 sends 400 Bad Request responses to clients that go away before sending anything

[jvgutierrez]

Detailed Description of the Problem

HAProxy sends a 400 Bad request response after a connection is closed before the client sends a single byte after the TLS handshake

Expected Behavior

HAProxy silently closes the connection without emitting a 400 Bad Request response, as no request has been sent by the client

Steps to Reproduce the Behavior

1. timeout 2 openssl s_client -connect 127.0.0.1:443
2. traffic capture shows the 400 Bad Request response sent by HAProxy

    1 0.000000000    127.0.0.1 → 127.0.0.1    TCP 74 38772 → 443 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2222161254 TSecr=0 WS=512
    2 0.000024130    127.0.0.1 → 127.0.0.1    TCP 74 443 → 38772 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2222161254 TSecr=2222161254 WS=512
    3 0.000044540    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [ACK] Seq=1 Ack=1 Win=44032 Len=0 TSval=2222161254 TSecr=2222161254
    4 0.001186772    127.0.0.1 → 127.0.0.1    TLSv1 349 Client Hello
    5 0.002338477    127.0.0.1 → 127.0.0.1    TLSv1.3 4162 Server Hello, Change Cipher Spec, Encrypted Extensions
    6 0.002370057    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [ACK] Seq=284 Ack=4097 Win=41472 Len=0 TSval=2222161256 TSecr=2222161256
    7 0.006104753    127.0.0.1 → 127.0.0.1    TLSv1.3 1279 Certificate, Certificate Verify, Finished
    8 0.006118780    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [ACK] Seq=284 Ack=5310 Win=42496 Len=0 TSval=2222161260 TSecr=2222161260
    9 0.014768812    127.0.0.1 → 127.0.0.1    TLSv1.3 146 Change Cipher Spec, Finished
   10 0.015232225    127.0.0.1 → 127.0.0.1    TLSv1.3 321 New Session Ticket
   11 0.015249354    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [ACK] Seq=364 Ack=5565 Win=44032 Len=0 TSval=2222161269 TSecr=2222161269
   12 0.015374085    127.0.0.1 → 127.0.0.1    TLSv1.3 321 New Session Ticket
   13 0.015384048    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [ACK] Seq=364 Ack=5820 Win=44032 Len=0 TSval=2222161269 TSecr=2222161269
   14 1.991451351    127.0.0.1 → 127.0.0.1    TCP 66 38772 → 443 [FIN, ACK] Seq=364 Ack=5820 Win=44032 Len=0 TSval=2222163245 TSecr=2222161269
   15 1.991675113    127.0.0.1 → 127.0.0.1    HTTP 295 HTTP/1.1 400 Bad request  (text/html)
   16 1.991707156    127.0.0.1 → 127.0.0.1    TCP 54 38772 → 443 [RST] Seq=365 Win=0 Len=0

Do you have any idea what may have caused this?

No response

Do you have an idea how to solve the issue?

No response

What is your configuration?

root@traffic-cache-bullseye:/var/log# cat /etc/haproxy/haproxy.cfg 
# Note: This file is managed by puppet.

global
    user haproxy
    group haproxy
    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin
    log /var/lib/haproxy/dev/log local0 info
    # do not keep old processes longer than 5m after a reload
    hard-stop-after 5m


defaults
    mode       http
    log-format "%rt %Tr %Tw %Tc %ST %hr %hs %ts"
    option     dontlognull
    option     accept-invalid-http-response
    retries    1
    timeout    connect 50000
    timeout    client 500000
    timeout    server 500000
root@traffic-cache-bullseye:/var/log# cat /etc/haproxy/conf.d/tls.cfg                     
global                                                                                    
                                                                                          
    nbproc 1                                                                              
    nbthread 2                                                                            
    cpu-map 1/1- 0 1                                                                      
                                                                                          
                                                                                                                                                                                    
    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3                                                                                                                
    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256                                                                        
    ssl-dh-param-file /etc/ssl/dhparam.pem                                                
    tune.ssl.cachesize 512000                                                             
    tune.ssl.lifetime 86400                                                               
    maxconn 200000                                                                        
                                                                                          
                                                                                          
    tune.h2.header-table-size 4096                                                        
    tune.h2.initial-window-size 65535                                                     
    tune.h2.max-concurrent-streams 100                                                    
                                                                                          
                                                                                                                                                                                                                                                                                                                                                                         
listen tls                                                                                
    log global                                                                            
    maxconn 199000                                                                        
    bind :443 ssl crt-list /etc/haproxy/crt-list.cfg tls-ticket-keys /run/haproxy-secrets/stek.keys                                                                                 
                                                                                          
    bind :::443 v6only ssl crt-list /etc/haproxy/crt-list.cfg tls-ticket-keys /run/haproxy-secrets/stek.keys                                                                        
                                                                                          
    http-reuse always                                                                     
                                                                                                                                                                                                                                                                                                                                                                         
    # time to wait for a complete HTTP request, It only applies to the header part of the HTTP request (unless option http-buffer-request is used)                                  
    timeout http-request 3600s                                                            
    # set the maximum allowed time to wait for a new HTTP request to appear               
    timeout http-keep-alive 120s                                                          
    # set the maximum inactivity time on the client side                                  
    timeout client 120s                                                                   
    # inactivity timeout on the client side for half-closed connections                   
    timeout client-fin 120s                                                               
    # connect timeout against a backend server                                            
    timeout connect 3s                                                                    
    # set the maximum inactivity time on the server side                    
    timeout server 180s                                                                   
    # timeout used after upgrading a connection (websockets) or after the first response when no keepalive/close option is specified                                                
    timeout tunnel 3600s                                                                  

    # TODO: refactor to a more configurable approach                                      
    capture response header X-Cache-Status len 10                                         
    capture request header Host len 25                                                    

    http-request set-var(txn.xwd_count) req.hdr_cnt(X-Wikimedia-Debug)                    
    http-request set-var(req.ciph) ssl_fc_cipher,regsub('^ECDHE-ECDSA-',),regsub('^ECDHE-RSA-',),regsub('^TLS_',''),regsub('_','-','g'),regsub('^CHACHA20-POLY1305$','CHACHA20-POLY1305-SHA256')


    acl missing_xwd var(txn.xwd_count) eq 0                                               
    acl h2 fc_http_major eq 2                                                             
    acl ssl_session_reused ssl_fc_is_resumed eq 1                                         
    acl ssl_auth_rsa ssl_fc_cipher -m reg ^ECDHE-RSA                                      

    http-request set-var(req.h2) int(1) if h2                                             
    http-request set-var(req.h2) int(0) if !h2                                            
    http-request set-var(req.h2s) str(h2) if h2                                           
    http-request set-var(req.h2s) str(h1) if !h2                                          
    http-request set-var(req.sess) str(new) if !ssl_session_reused                        
    http-request set-var(req.sess) str(reused) if ssl_session_reused                      
    http-request set-var(req.auth) str(RSA) if ssl_auth_rsa                               
    http-request set-var(req.auth) str(ECDSA) if !ssl_auth_rsa                            

    http-request set-header X-Client-IP "%[src]"                                          
    http-request set-header X-Client-Port "%[src_port]"                                   
    http-request set-header X-Forwarded-Proto "https"                                     
    http-request set-header X-Connection-Properties "H2=%[var(req.h2)]; SSR=%[ssl_fc_is_resumed]; SSL=%[ssl_fc_protocol]; C=%[ssl_fc_cipher]; EC=UNKNOWN;"                          
    http-request set-header X-Analytics-TLS "vers=%[ssl_fc_protocol];keyx=unknown;auth=%[var(req.auth)];ciph=%[var(req.ciph)];prot=%[var(req.h2s)];sess=%[var(req.sess)]"           
    http-response del-header X-Analytics                                                  
    http-response del-header Backend-Timing if missing_xwd                                
    http-response del-header X-ATS-Timestamp if missing_xwd                               
    http-response del-header X-Envoy-Upstream-Service-Time if missing_xwd                 
    http-response del-header X-OpenStack-Request-ID if missing_xwd                        
    http-response del-header X-Powered-By if missing_xwd                                  
    http-response del-header X-Request-Id if missing_xwd                                  
    http-response del-header X-Timestamp if missing_xwd                                   
    http-response del-header X-Trans-Id if missing_xwd                                    
    http-response del-header X-Varnish if missing_xwd                                     



    server backend_server_0 unix@/run/varnish-frontend-0.socket                           
    server backend_server_1 unix@/run/varnish-frontend-1.socket                           
    server backend_server_2 unix@/run/varnish-frontend-2.socket                           
    server backend_server_3 unix@/run/varnish-frontend-3.socket                           
    server backend_server_4 unix@/run/varnish-frontend-4.socket                           
    server backend_server_5 unix@/run/varnish-frontend-5.socket                           
    server backend_server_6 unix@/run/varnish-frontend-6.socket                           
    server backend_server_7 unix@/run/varnish-frontend-7.socket                           
    option forwardfor                                                                     

frontend stats                                                                            
    no log                                                                                
    maxconn 1000                                                                          
    bind :9422                                                                            
    bind :::9422 v6only                                                                   
    http-request use-service prometheus-exporter if { path /metrics }                     
    stats enable                                                                          
    stats uri /stats                                                                      
    stats refresh 10s

Output of haproxy -vv

haproxy -vv
HAProxy version 2.4.19-1~bpo10+1 2022/09/30 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.19.html
Running on: Linux 5.16.0-0.bpo.4-cloud-amd64 #1 SMP PREEMPT Debian 5.16.12-1~bpo11+1 (2022-03-08) x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.4.19=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_PROMEX=1
  DEBUG   = 

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1n  15 Mar 2022
Running on OpenSSL version : OpenSSL 1.1.1n  15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.3.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2       flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
            fcgi : mode=HTTP       side=BE        mux=FCGI     flags=HTX|HOL_RISK|NO_UPG
       <default> : mode=HTTP       side=FE|BE     mux=H1       flags=HTX
              h1 : mode=HTTP       side=FE|BE     mux=H1       flags=HTX|NO_UPG
       <default> : mode=TCP        side=FE|BE     mux=PASS     flags=
            none : mode=TCP        side=FE|BE     mux=PASS     flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [SPOE] spoe
        [CACHE] cache
        [FCGI] fcgi-app
        [COMP] compression
        [TRACE] trace

Last Outputs and Backtraces

[01|h1|5|/mux_h1.c:789] h1_init(): entering
[01|h1|5|/mux_h1.c:554] h1_set_idle_expiration(): set idle expiration (http-request timeout) : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:878] h1_init(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2959] h1_wake(): in : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2717] h1_process(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:521] h1_refresh_timeout(): refreshing connection's timeout (alive front h1c but not ready) : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:531] h1_refresh_timeout(): new expiration date : [F] - VAL=18446744071666258244 - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2863] h1_process(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2922] h1_io_cb(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2576] h1_recv(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|3|mux_h1.c:2623] failed to receive data, subscribing : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@0x7fc7f802b920+48/16384 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2638] h1_recv(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2922] h1_io_cb(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2576] h1_recv(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80001300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:403] h1_recv_allowed(): recv not allowed because of (error|read0|waitl4|waitl6) on connection : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@0x7fc7f802b920+48/16384 obuf=0@(nil)+0/0
[01|h1|4|mux_h1.c:2628] data received : [F] - VAL=0 - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@0x7fc7f802b920+48/16384 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2638] h1_recv(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2717] h1_process(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2422] h1_send_error(): entering : [F] - VAL=400 - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:2459] h1_send_error(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=207@0x7fc7f802b920+0/16384
[01|h1|5|mux_h1.c:2653] h1_send(): entering : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=207@0x7fc7f802b920+0/16384
[01|h1|4|mux_h1.c:2671] data sent : [F] - VAL=207 - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=207@0x7fc7f802b920+0/16384
[01|h1|5|mux_h1.c:2692] h1_send(): leaving with everything sent : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@0x7fc7f802b920+207/16384
[01|h1|5|mux_h1.c:2704] h1_send(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000400) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:901] h1_release(): in
[01|h1|5|/mux_h1.c:908] h1_release(): freeing h1c : [F] - h1c=0x7fc7f80402c0(0x00000800) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:3339] h1_shutw_conn(): entering : [F] - h1c=0x7fc7f80402c0(0x00000800) conn=0x7fc7f80271b0(0x80041300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|mux_h1.c:3342] h1_shutw_conn(): leaving : [F] - h1c=0x7fc7f80402c0(0x00000800) conn=0x7fc7f80271b0(0x801c1300) ibuf=0@(nil)+0/0 obuf=0@(nil)+0/0
[01|h1|5|/mux_h1.c:957] h1_release(): freeing conn
[01|h1|5|mux_h1.c:2881] h1_process(): leaving after releasing the connection
[01|h1|5|mux_h1.c:2980] h1_timeout_task(): entering
[01|h1|5|mux_h1.c:3049] h1_timeout_task(): leaving (not more h1c)

Additional Information

No response

[wtarreau]

To the best of my knowledge this has always been the case since v1.0 and some have been relying on it for health-checks coming from external systems. There is an option to change this behavior (option http-ignore-probes), which will silently close the connection and prevent any log from being produced.

[jvgutierrez]

I've definitely missed that one, thanks @wtarreau!