SoFunction
Updated on 2025-04-14

The reasons and solutions for 502 errors caused by Nginx due to reverse proxy

1. Problem phenomenon

When visiting the website of the Nginx proxy, the page shows 502 Bad Gateway, and the following appears in the Nginx error log (/var/log/nginx/):

connect() failed (111: Connection refused) while connecting to upstream
upstream timed out (110: Connection timed out) while reading response header from upstream

2. Common causes and solutions

1. The upstream server is not responding

Problem Description: Backend services (such as Tomcat,) are not started, crashed, or ports are occupied.

Solution steps:

Check backend service status:

   systemctl status tomcat  # Take Tomcat as an example   ps -ef | grep node      # Take as an example

Restart the backend service:

   systemctl restart tomcat

Check whether the backend service port is listening normally:

   netstat -tunlp | grep 8080  # Assume the backend port is 8080

2. The timeout setting is unreasonable

Problem description: The connection/read/write timeout between Nginx and the backend server is too short.

Solution: Modify the timeout parameters in Nginx configuration:

location / {
    proxy_pass http://backend;
    proxy_connect_timeout 60s;  # Connection timeout (default 60s)    proxy_read_timeout 60s;     # Read response timeout (default 60s)    proxy_send_timeout 60s;     # Send request timeout (default 60s)}

Operation steps:

Edit Nginx configuration file:

   vi /etc/nginx/  # or the corresponding server configuration file

Restart Nginx to make the configuration take effect:

   systemctl restart nginx

3. Load balancing configuration error

Problem description: The backend server IP/port configured in upstream is incorrect, or the server status is abnormal.

Sample configuration:

upstream backend {
    server 192.168.1.10:8080 weight=5;   # Normal server    server 192.168.1.11:8080 backup;     # Backup server (enabled when the main server is down)}

Solution steps:

Check whether the server address and port in upstream are correct;

Test Nginx configuration syntax:

   nginx -t

Restart Nginx.

4. Inadequate buffer settings

Problem description: The backend response data is too large and the Nginx buffer is insufficient, resulting in truncation.

Solution: Adjust the buffer parameters:

location / {
    proxy_pass http://backend;
    proxy_buffers 8 4k;    # 8 4KB buffers (default 8 4k or 8 8k)    proxy_buffer_size 4k;  # Single buffer size}

5. SSL certificate verification failed (HTTPS scenario)

Problem Description: Certificate verification failed when reverse proxying HTTPS backend.

Solution:

Disable certificate verification (the test environment is available, the production environment requires the correct CA certificate to be configured):

   location / {
       proxy_pass https://backend;
       proxy_ssl_verify off;  # Disable certificate verification   }

Configure the CA certificate path (production environment recommended):

   proxy_ssl_verify on;
   proxy_ssl_certificate /path/to/;

3. Summary of the steps for investigation

Check whether the backend service is running normally;

Check out the problem of Nginx error log location;

Adjust the timeout or buffer configuration;

Confirm that the load balancing configuration is correct;

Check the certificate configuration in HTTPS scenario.

Through the above method, most of the 502 errors caused by Nginx reverse proxy can be solved. If the problem persists, it is recommended to further check the network firewall or backend service log.

4. Supplementary method

502 The nature of error

The full name of 502 error is Bad Gateway. It is essentially that Nginx is a proxy server and cannot obtain a valid response from upstream servers (such as Tomcat/PHP/FastCGI). Common reasons include:

  • Upstream server down or unresponsive
  • The proxy timeout is too short
  • Insufficient number of connections/processes
  • Firewall/SELinux Intercept
  • DNS resolution failed

Step-by-step troubleshooting and solutions

1. Step 1: Confirm whether the upstream server is alive

Operation: Bypass Nginx directly and use curl to access the backend service

Example:

# Assume that the backend service port is 8080curl http://127.0.0.1:8080

If you return normal content: the problem is in Nginx configuration

If timeout/connection fails: first repair the backend service

2. Step 2: Adjust the Nginx timeout parameters

Nginx has a short default timeout (such as 60 seconds), which can be extended by the following configuration:

Modify Nginx configuration (path: /etc/nginx/or /*.conf):

location / {
    proxy_pass http://backend_server;
        # Timeout time for connecting to the upstream server (default 60s)            proxy_connect_timeout 120s;
                # Timeout time for reading response from upstream server (default 60s)                    proxy_read_timeout 120s;
                        # Timeout time for sending a request to the upstream server (default 60s)                            proxy_send_timeout 120s;
                            }

Effective:

sudo nginx -s reload

3. Step 3: Solve the problem of insufficient connections

Phenomenon: A large number of 502 errors, accompanied by Nginx log upstream prematurely closed connection

Solution:

Increase the number of Nginx worker connections:

  worker_processes  4;  # Adjust according to the number of CPU cores    worker_connections  10240;  # Maximum number of connections per worker

Configure the backend server Keepalive (reduce frequent new connections):

  upstream backend_server {
        server 192.168.1.10:8080;
              keepalive 32;  # Keep 32 idle connections                }
                  location / {
                        proxy_pass http://backend_server;
                              proxy_http_version 1.1;
                                    proxy_set_header Connection "";  # Close the proxy layer's Connection: close                                      }

4. Step 4: Check the firewall and SELinux

Firewall (taking CentOS as an example):

# Open the port for Nginx to communicate with the backend serversudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

SELinux (temporary shutdown test):

sudo setenforce 0  # Temporary Close
# Or permanently closed(Revise/etc/selinux/config)

5. Step 5: Fix DNS resolution problem

Phenomenon: 502 appears when using domain names (such as proxy_pass) in proxy configuration

Solution:

Solution 1: Use IP address directly

Solution 2: Configure Nginx dedicated DNS resolver:

  upstream backend_server {
        server  resolve;  # Enable parsing              resolver 8.8.8.8 8.8.4.4;  # Specify the DNS server                    resolver_timeout 5s;  # parse timeout                      }

6. Step 6: Other FAQs

FastCGI/PHPConfiguration error(byPHPAs an example):
  location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
              fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                    include        fastcgi_params;
                      }

It is necessary to ensure that the php-fpm service is running and the listen port is correct.

Improper load balancing configuration:

If you use least_conn or ip_hash, you need to check whether the backend server is all healthy.

Log location skills

View Nginx error log (path: /var/log/nginx/):

tail -f /var/log/nginx/

Key Error Keywords:

connect() failed: connection failed (IP/port error)

upstream timed out: timeout (adjust the timeout parameter)

no live upstreams: no live nodes on the upstream server (check load balancing configuration)

Follow the above steps to check gradually, 90% of 502 errors can be solved. If the problem remains the same, it is recommended to check the logs of the backend server (such as Tomcat/PHP-FPM logs) for further location.

This is the article about the reasons and solutions for Nginx's 502 error due to reverse proxy. For more related content on Nginx's reverse proxy 502, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!