CDN 502 error on certain https images

Category: azure cdn

Question

EhsanJ on Tue, 04 Oct 2016 04:45:31


Hi There,

I have setup my CDN on azure,
And configured it to point to my domain name.
Since my ssl cert does not accept subdomains, I did not configure custom domain, so It all points to my cdn in azure.

Now it acts weird.
since yesterday, any image that I upload to my CMS, Worpress, is returning a 502 error, but it works well on http.

You can check these 2:

https://jahandarpour.azureedge.net/wp-content/uploads/2016/01/Abir-All-in-one-1.png
http://jahandarpour.azureedge.net/wp-content/uploads/2016/01/Abir-All-in-one-1.png

Since, my website have SSL, so those images on http won't do any goo to my website.

I appreciate if you could help me fix it.

Cheers,
Ehsan


Replies

EhsanJ on Tue, 04 Oct 2016 07:46:14


Here i the latest update.

It's so strange.
I have change Nothing, and now the whole website is giving 502 Bad error.

Check this out:
https://jahandarpour.com/
https://jahandarpour.azureedge.net/


Anton Kucer - MSFT on Sat, 08 Oct 2016 01:05:11


The 502 errors are a result of SNI binding being enabled on your origin. Automatic SNI resolution between CDN and origins is not currently supported for Azure CDN from Verizon. The easiest resolution is to disable SNI binding on your origin.

EhsanJ on Sat, 08 Oct 2016 04:18:44


would you care to share a solution on how to disable SNI on my apache on ubuntu?

Anton Kucer - MSFT on Sat, 08 Oct 2016 04:56:26


Are you able to set SSLStrictSNIVHostCheck off in your apache config file (http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)?

EhsanJ on Sat, 08 Oct 2016 05:47:56


Hey Anton,

Just did it and restarted apache
However, the 502 error still exist.


Here is my apache config:

# Default Virtual Host configuration.


<IfVersion < 2.3 >
  NameVirtualHost *:80
  NameVirtualHost *:443
  ServerName MyDomainname.com
</IfVersion>

<VirtualHost _default_:80>
  ServerName MyDomainname.com
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
  LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLStrictSNIVHostCheck off

<VirtualHost _default_:443>
  ServerName MyDomainname.com
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCertificateChainFile "/opt/bitnami/apache2/conf/server.ca-bundle"

  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Bitnami applications that uses virtual host configuration
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf"

                    

EhsanJ on Mon, 10 Oct 2016 16:25:42


Hey Anton,

Did you find anything I have to change? as I still get 502!

EhsanJ on Tue, 11 Oct 2016 16:26:33


Will anyone please care to respond?
It's been a week!!
I can't believe that Microsoft Engineers can not solve such an easy issue, It's on Azure, from azure, and in Azure. !!

BrianCDN on Tue, 11 Oct 2016 17:07:52


Hello Ehsan

Apologies for the delay, we will make a configuration to solve this issue for you.  We will reach out separately in a ticket and contact you. 

Thank you,

Brian Pillsbury

EhsanJ on Tue, 11 Oct 2016 17:23:18


Hey Brian,

Really looking forward to hearing from you, Soon.

Thanks,
Ehsan

BrianCDN on Tue, 11 Oct 2016 17:57:51


Hi Ehsan,

You should have received an email that a case has been created for this issue. Please look for further updates there and we will correspond through that.

Thank you,

Brian Pillsbury

BrianCDN on Tue, 11 Oct 2016 20:21:48


Hi Ehsan,

We are pushing out a fix which should be globally propagated in ~2 hours. The issue was actually a cipher suite mismatch (not an SNI problem) when the CDN was trying to connect to your origin server using TLS. Please give it a bit of time and then you can re-test.

Thank you,

Brian Pillsbury

Anton Kucer - MSFT on Fri, 14 Oct 2016 02:06:00


To provide closure on this issue, the original 502 issues were result of SNI binding enabled on the origin. Setting SSLStrictSNIVHostCheck off in the apache config allowed non SNI connections. This then exposed a cipher suite mismatch issue which has been resolved. Long term we are working to enable TLS SNI connections by default from Verizon CDN POP's to origins.