improve adding headers #19
Description
Your Feature Request
Detailed Description of the Problem
when some error happen and haproxy generates 502, it also adds "cache-control: no-cache" which is not required for 502 because according to RFC only 200 and 300 codes might be cached
let us not add cache-control header when not needed
an example of vtest with 502
2026-01-09T21:47:04.3773315Z ##[group]Test case: reg-tests/quic/ssl_client_auth.vtc
2026-01-09T21:47:04.3779102Z **** dT 0.000
2026-01-09T21:47:04.3779494Z * top TEST reg-tests/quic/ssl_client_auth.vtc starting
2026-01-09T21:47:04.3780237Z **** top extmacro def ***
2026-01-09T21:47:04.3780607Z **** top extmacro def date(...)
2026-01-09T21:47:04.3780996Z **** top extmacro def string(...)
2026-01-09T21:47:04.3781474Z **** top extmacro def localhost=127.0.0.1
2026-01-09T21:47:04.3781922Z **** top extmacro def bad_backend=127.0.0.1:34563
2026-01-09T21:47:04.3782321Z **** top extmacro def listen_addr=127.0.0.1:0
2026-01-09T21:47:04.3782594Z **** top extmacro def bad_ip=192.0.2.255
2026-01-09T21:47:04.3782905Z **** top macro def testdir=/__w/haproxy/haproxy/reg-tests/quic
2026-01-09T21:47:04.3783320Z **** top macro def tmpdir=/tmp/haregtests-2026-01-09_21-46-08.wFwmm3/vtc.1932.0626274c
2026-01-09T21:47:04.3783689Z **** top macro def vtcid=vtc.1932.0626274c
2026-01-09T21:47:04.3783948Z ** top === varnishtest "Test the client auth"
2026-01-09T21:47:04.3784196Z * top VTEST Test the client auth
2026-01-09T21:47:04.3784509Z ** top === feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature...
2026-01-09T21:47:04.3784969Z **** dT 0.009
2026-01-09T21:47:04.3785263Z ** top === setenv VTC_SOCK_TYPE quic
2026-01-09T21:47:04.3785825Z ** top === include ${testdir}/../ssl/ssl_client_auth.vtci
2026-01-09T21:47:04.3786339Z ** top Begin include '/__w/haproxy/haproxy/reg-tests/quic/../ssl/ssl_client_auth.vtci'
2026-01-09T21:47:04.3786728Z ** top === feature ignore_unknown_macro
2026-01-09T21:47:04.3786967Z ** top === server s1 -repeat 3 {
2026-01-09T21:47:04.3787200Z ** s1 Starting server
2026-01-09T21:47:04.3787397Z **** s1 macro def s1_addr=127.0.0.1
2026-01-09T21:47:04.3787622Z **** s1 macro def s1_port=45689
2026-01-09T21:47:04.3787839Z **** s1 macro def s1_sock=127.0.0.1:45689
2026-01-09T21:47:04.3788075Z * s1 Listen on 127.0.0.1:45689
2026-01-09T21:47:04.3788294Z ** top === haproxy h1 -conf {
2026-01-09T21:47:04.3788528Z **** h1 macro def h1_closed_sock=127.0.0.1:41491
2026-01-09T21:47:04.3788789Z **** h1 macro def h1_closed_addr=127.0.0.1
2026-01-09T21:47:04.3789022Z **** h1 macro def h1_closed_port=41491
2026-01-09T21:47:04.3789273Z ** s1 Started on 127.0.0.1:45689 (3 iterations)
2026-01-09T21:47:04.3789501Z **** dT 0.011
2026-01-09T21:47:04.3789688Z **** h1 VTC_SOCK_TYPE value: 'quic'
2026-01-09T21:47:04.3789974Z **** h1 macro def h1_cli_sock=127.0.0.1:41851
2026-01-09T21:47:04.3790217Z **** h1 macro def h1_cli_addr=127.0.0.1
2026-01-09T21:47:04.3790440Z **** h1 macro def h1_cli_port=41851
2026-01-09T21:47:04.3790949Z **** h1 setenv(cli, 6) for TCP socket
2026-01-09T21:47:04.3791302Z **** h1 macro def h1_clearlst_sock=127.0.0.1:46825
2026-01-09T21:47:04.3791736Z **** h1 macro def h1_clearlst_addr=127.0.0.1
2026-01-09T21:47:04.3792145Z **** h1 macro def h1_clearlst_port=46825
2026-01-09T21:47:04.3792560Z **** h1 setenv(clearlst, 7) for TCP socket
2026-01-09T21:47:04.3792995Z **** h1 macro def h1_ssl_sock=127.0.0.1:56618
2026-01-09T21:47:04.3793411Z **** h1 macro def h1_ssl_addr=127.0.0.1
2026-01-09T21:47:04.3793804Z **** h1 macro def h1_ssl_port=56618
2026-01-09T21:47:04.3794156Z **** h1 setenv(ssl, 8) for QUIC socket
2026-01-09T21:47:04.3794580Z ** h1 haproxy_start
2026-01-09T21:47:04.3795254Z **** h1 opt_worker 0 opt_daemon 0 opt_check_mode 0 opt_mcli 0
2026-01-09T21:47:04.3796264Z **** h1 argv|exec "/__w/haproxy/haproxy/haproxy" -d -dM -dI -dW -f "/tmp/haregtests-2026-01-09_21-46-08.wFwmm3/vtc.1932.0626274c/h1/cfg"
2026-01-09T21:47:04.3796751Z **** h1 conf| global
2026-01-09T21:47:04.3797199Z **** h1 conf|\tstats socket "/tmp/haregtests-2026-01-09_21-46-08.wFwmm3/vtc.1932.0626274c/h1/stats.sock" level admin mode 600
2026-01-09T21:47:04.3797705Z **** h1 conf| stats socket "fd@${cli}" level admin
2026-01-09T21:47:04.3797944Z **** h1 conf|
2026-01-09T21:47:04.3798117Z **** h1 conf| global
2026-01-09T21:47:04.3798382Z **** h1 conf| .if streq("$VTC_SOCK_TYPE",quic)
2026-01-09T21:47:04.3798806Z **** h1 conf| # required for backend connections
2026-01-09T21:47:04.3799292Z **** h1 conf| expose-experimental-directives
2026-01-09T21:47:04.3799729Z **** h1 conf| .endif
2026-01-09T21:47:04.3800062Z **** h1 conf| .if feature(THREAD)
2026-01-09T21:47:04.3800293Z **** h1 conf| thread-groups 1
2026-01-09T21:47:04.3800511Z **** h1 conf| .endif
2026-01-09T21:47:04.3800684Z **** h1 conf|
2026-01-09T21:47:04.3800892Z **** h1 conf| .if !ssllib_name_startswith(AWS-LC)
2026-01-09T21:47:04.3801181Z **** h1 conf| tune.ssl.default-dh-param 2048
2026-01-09T21:47:04.3801431Z **** h1 conf| .endif
2026-01-09T21:47:04.3801604Z **** h1 conf|
2026-01-09T21:47:04.3801776Z **** h1 conf| defaults
2026-01-09T21:47:04.3801978Z **** h1 conf| mode http
2026-01-09T21:47:04.3802191Z **** h1 conf| option httplog
2026-01-09T21:47:04.3802433Z **** h1 conf| log stderr local0 debug err
2026-01-09T21:47:04.3802670Z **** h1 conf| option logasap
2026-01-09T21:47:04.3802946Z **** h1 conf| timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
2026-01-09T21:47:04.3803274Z **** h1 conf| timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
2026-01-09T21:47:04.3803608Z **** h1 conf| timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
2026-01-09T21:47:04.3803863Z **** h1 conf|
2026-01-09T21:47:04.3804037Z **** h1 conf| listen clear-lst
2026-01-09T21:47:04.3804262Z **** h1 conf| bind "fd@${clearlst}"
2026-01-09T21:47:04.3804498Z **** h1 conf| balance roundrobin
2026-01-09T21:47:04.3804860Z **** h1 conf| # crt: certificate sent for a client certificate request
2026-01-09T21:47:04.3806065Z **** h1 conf| server s1 "${VTC_SOCK_TYPE}+127.0.0.1:56618" ssl verify none crt /__w/haproxy/haproxy/reg-tests/quic/certs/client1.pem
2026-01-09T21:47:04.3807477Z **** h1 conf| server s2 "${VTC_SOCK_TYPE}+127.0.0.1:56618" ssl verify none crt /__w/haproxy/haproxy/reg-tests/quic/certs/client2_expired.pem # expired
2026-01-09T21:47:04.3808560Z **** h1 conf| server s3 "${VTC_SOCK_TYPE}+127.0.0.1:56618" ssl verify none crt /__w/haproxy/haproxy/reg-tests/quic/certs/client3_revoked.pem # revoked
2026-01-09T21:47:04.3809056Z **** h1 conf|
2026-01-09T21:47:04.3809242Z **** h1 conf| listen ssl-lst
2026-01-09T21:47:04.3809489Z **** h1 conf| # crt: certificate of the server
2026-01-09T21:47:04.3809816Z **** h1 conf| # ca-file: CA used for client authentication request
2026-01-09T21:47:04.3810257Z **** h1 conf| # crl-file: revocation list for client auth: the client1 certificate is revoked
2026-01-09T21:47:04.3811768Z **** h1 conf| bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt /__w/haproxy/haproxy/reg-tests/quic/certs/common.pem ca-file /__w/haproxy/haproxy/reg-tests/quic/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file /__w/haproxy/haproxy/reg-tests/quic/certs/crl-auth.pem
2026-01-09T21:47:04.3813306Z **** h1 conf|
2026-01-09T21:47:04.3813573Z **** h1 conf| http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str]
2026-01-09T21:47:04.3813932Z **** h1 conf| server s1 127.0.0.1:45689
2026-01-09T21:47:04.3814163Z **** h1 XXX 10 @860
2026-01-09T21:47:04.3814438Z *** h1 PID: 4341
2026-01-09T21:47:04.3814628Z **** h1 macro def h1_pid=4341
2026-01-09T21:47:04.3814958Z **** h1 macro def h1_name=/tmp/haregtests-2026-01-09_21-46-08.wFwmm3/vtc.1932.0626274c/h1
2026-01-09T21:47:04.3815356Z ** top === client c1 -connect ${h1_clearlst_sock} {
2026-01-09T21:47:04.3815733Z ** c1 Starting client
2026-01-09T21:47:04.3815938Z ** c1 Waiting for client
2026-01-09T21:47:04.3816160Z ** c1 Started on 127.0.0.1:46825 (1 iterations)
2026-01-09T21:47:04.3816414Z *** c1 Connect to 127.0.0.1:46825
2026-01-09T21:47:04.3816684Z *** c1 connected fd 9 from 127.0.0.1 39136 to 127.0.0.1:46825
2026-01-09T21:47:04.3816961Z ** c1 === txreq
2026-01-09T21:47:04.3817164Z **** c1 txreq|GET / HTTP/1.1\r
2026-01-09T21:47:04.3817378Z **** c1 txreq|Host: 127.0.0.1\r
2026-01-09T21:47:04.3817609Z **** c1 txreq|User-Agent: c1\r
2026-01-09T21:47:04.3817810Z **** c1 txreq|\r
2026-01-09T21:47:04.3817983Z ** c1 === rxresp
2026-01-09T21:47:04.3818152Z **** dT 0.043
2026-01-09T21:47:04.3818492Z *** h1 debug|[NOTICE] (4341) : Automatically setting global.maxconn to 32750.
2026-01-09T21:47:04.3818950Z *** h1 debug|Available polling systems :
2026-01-09T21:47:04.3819402Z *** h1 debug| epoll : pref=300, test result OK
2026-01-09T21:47:04.3819847Z *** h1 debug| poll :
2026-01-09T21:47:04.3820210Z *** h1 debug|pref=200, test result OK
2026-01-09T21:47:04.3820617Z *** h1 debug| select :
2026-01-09T21:47:04.3820898Z *** h1 debug|pref=150,
2026-01-09T21:47:04.3821227Z *** h1 debug| test result FAILED
2026-01-09T21:47:04.3821613Z *** h1 debug|Total: 3 (2 usable), will use epoll.
2026-01-09T21:47:04.3822002Z *** h1 debug|
2026-01-09T21:47:04.3822242Z *** h1 debug|Available filters :
2026-01-09T21:47:04.3822465Z *** h1 debug|\t[BWLIM] bwlim-in
2026-01-09T21:47:04.3822681Z *** h1 debug|\t[BWLIM] bwlim-out
2026-01-09T21:47:04.3822889Z *** h1 debug|\t[CACHE] cache
2026-01-09T21:47:04.3823116Z *** h1 debug|\t[COMP] compression
2026-01-09T21:47:04.3823332Z *** h1 debug|\t[FCGI] fcgi-app
2026-01-09T21:47:04.3823546Z *** h1 debug|\t[SPOE] spoe
2026-01-09T21:47:04.3823746Z *** h1 debug|\t[TRACE] trace
2026-01-09T21:47:04.3823948Z **** dT 0.044
2026-01-09T21:47:04.3824149Z *** h1 debug|Using epoll() as the polling mechanism.
2026-01-09T21:47:04.3824396Z **** dT 0.047
2026-01-09T21:47:04.3824641Z *** h1 debug|[NOTICE] (4341) : haproxy version is 3.4-dev2-fbd54469b50c
2026-01-09T21:47:04.3825039Z *** h1 debug|[NOTICE] (4341) : path to executable is /__w/haproxy/haproxy/haproxy
2026-01-09T21:47:04.3827851Z *** h1 debug|[WARNING] (4341) : [/__w/haproxy/haproxy/haproxy.main()] HAProxy was started as the root user and does not make use of 'user' nor 'uid' global options to drop the privileges. This is generally considered as a bad practice security-wise. If running as root is intentional, please make it explicit using 'uid 0' or 'user root', and also please consider using the 'chroot' directive to isolate the process into a totally empty and read-only directory if possible. Also, since your operating system supports it, alw
2026-01-09T21:47:04.3830114Z *** h1 debug|ays prefer relying on capabilities with unprivileged users than running with full privileges (look for 'setcap' in the configurationmanual).
2026-01-09T21:47:04.3830933Z *** h1 debug|00000000:clear-lst.accept(0007)=0016 from [127.0.0.1:39136] ALPN=<none>
2026-01-09T21:47:04.3831363Z *** h1 debug|00000000:clear-lst.clireq[0016:ffffffff]: GET / HTTP/1.1
2026-01-09T21:47:04.3831734Z *** h1 debug|00000000:clear-lst.clihdr[0016:ffffffff]: host: 127.0.0.1
2026-01-09T21:47:04.3832141Z *** h1 debug|00000000:clear-lst.clihdr[0016:ffffffff]: user-agent: c1
2026-01-09T21:47:04.3832625Z **** dT 0.095
2026-01-09T21:47:04.3833043Z *** h1 debug|conn. @(nil) OpenSSL error[0x3000098] do_sigver_init: invalid digest
2026-01-09T21:47:04.3833894Z *** h1 debug|conn. @(nil) OpenSSL error[0x6880006] ASN1_item_verify_ctx: EVP lib
2026-01-09T21:47:04.3834724Z *** h1 debug|conn. @(nil) OpenSSL error[0xa000086] tls_process_client_certificate: certificate verify failed
2026-01-09T21:47:04.3835370Z **** dT 0.096
2026-01-09T21:47:04.3835812Z *** h1 debug|00000000:clear-lst.srvcls[0016:ffff]
2026-01-09T21:47:04.3836272Z *** h1 debug|00000000:clear-lst.clicls[0016:ffff]
2026-01-09T21:47:04.3836722Z *** h1 debug|00000000:clear-lst.closed[0016:ffff]
2026-01-09T21:47:04.3837339Z *** h1 debug|<134>Jan 9 21:46:41 haproxy[4341]: 127.0.0.1:39136 [09/Jan/2026:21:46:40.972] clear-lst clear-lst/s1 0/0/8/-1/+48 502 +0 - - SH-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
2026-01-09T21:47:04.3837889Z **** c1 rxhdr|HTTP/1.1 502 Bad Gateway\r
2026-01-09T21:47:04.3838132Z **** c1 rxhdr|content-length: 107\r
2026-01-09T21:47:04.3838377Z **** c1 rxhdr|cache-control: no-cache\r
2026-01-09T21:47:04.3838624Z **** c1 rxhdr|content-type: text/html\r
2026-01-09T21:47:04.3838857Z **** c1 rxhdr|\r
2026-01-09T21:47:04.3839047Z **** c1 rxhdrlen = 99
2026-01-09T21:47:04.3839235Z **** c1 http[ 0] |HTTP/1.1
2026-01-09T21:47:04.3839552Z **** c1 http[ 1] |502
2026-01-09T21:47:04.3839850Z **** c1 http[ 2] |Bad Gateway
2026-01-09T21:47:04.3840198Z **** c1 http[ 3] |content-length: 107
2026-01-09T21:47:04.3840580Z **** c1 http[ 4] |cache-control: no-cache
2026-01-09T21:47:04.3840998Z **** c1 http[ 5] |content-type: text/html
2026-01-09T21:47:04.3841424Z **** c1 c-l|<html><body><h1>502 Bad Gateway</h1>
2026-01-09T21:47:04.3841932Z **** c1 c-l|The server returned an invalid or incomplete response.
2026-01-09T21:47:04.3842330Z **** c1 c-l|</body></html>
2026-01-09T21:47:04.3842522Z **** c1 bodylen = 107
2026-01-09T21:47:04.3842718Z ** c1 === expect resp.status == 200
2026-01-09T21:47:04.3842959Z ---- c1 EXPECT resp.status (502) == "200" failed
2026-01-09T21:47:04.3843221Z * top Aborting execution, test failed
2026-01-09T21:47:04.3843583Z ** top End include '/__w/haproxy/haproxy/reg-tests/quic/../ssl/ssl_client_auth.vtci'
2026-01-09T21:47:04.3843995Z * top RESETTING after reg-tests/quic/ssl_client_auth.vtc
2026-01-09T21:47:04.3844275Z ** s1 Waiting for server (4/-1)
2026-01-09T21:47:04.3844495Z ** h1 Reset and free h1 haproxy 4341
2026-01-09T21:47:04.3844712Z ** h1 Wait
2026-01-09T21:47:04.3844886Z ** h1 Stop HAproxy pid=4341
2026-01-09T21:47:04.3845084Z **** dT 0.097
2026-01-09T21:47:04.3845244Z **** h1 Kill(2)=0: Success
2026-01-09T21:47:04.3845430Z **** dT 0.098
2026-01-09T21:47:04.3845746Z **** h1 STDOUT EOF
2026-01-09T21:47:04.3845915Z **** dT 0.197
2026-01-09T21:47:04.3846132Z ** h1 WAIT4 pid=4341 status=0x0002 (user 0.076808 sys 0.009975)
2026-01-09T21:47:04.3846463Z * top TEST reg-tests/quic/ssl_client_auth.vtc FAILED
2026-01-09T21:47:04.3846736Z
2026-01-09T21:47:04.3847219Z ##[endgroup]
Expected Behavior
not to add cache-control when not needed
Steps to Reproduce the Behavior
run vtest
Do you have any idea what may have caused this?
No response
Do you have an idea how to solve the issue?
No response
What are you trying to do?
improve cache-control logic
Output of haproxy -vv
n/a
Metadata
Metadata
Assignees
Labels
No labels