HTTP for Operators
This page supports debugging and designing HTTP(S) paths through load balancers, API gateways, reverse proxies, and Kubernetes Ingress. It pairs with TCP/IP Primer and TLS and Certificates.
Request and Response
Section titled “Request and Response”An HTTP/1.1 message has:
- Start line —
METHOD /path HTTP/1.1or status lineHTTP/1.1 200 OK. - Headers —
Host,User-Agent,Content-Type,Authorization, etc. - Body — Optional; common for POST/PUT.
HTTP/2 multiplexes streams over one TCP connection; operators still see status codes and pseudo-headers (:method, :path, :authority) in tools.
Methods (Common)
Section titled “Methods (Common)”| Method | Typical use | Idempotent? |
|---|---|---|
| GET | Read resource | Yes |
| HEAD | Like GET, no body | Yes |
| POST | Create or non-idempotent action | No |
| PUT | Replace resource | Yes |
| PATCH | Partial update | Sometimes |
| DELETE | Remove resource | Yes |
Idempotent methods are safer to retry after ambiguous network failure — the spec intent matters for APIs and caches.
Status Codes (Operator View)
Section titled “Status Codes (Operator View)”| Range | Meaning | Examples |
|---|---|---|
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301, 302, 304 Not Modified |
| 4xx | Client error | 400, 401, 403, 404, 429 |
| 5xx | Server / gateway error | 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout |
502/504 at a load balancer often mean unhealthy backends, timeout to origin, or TLS handshake failure to upstream — check target group health, security groups, and upstream certs.
Headers That Matter at the Edge
Section titled “Headers That Matter at the Edge”| Header | Why operators care |
|---|---|
| Host | Virtual hosting and routing (ALB listener rules, Ingress host). |
| X-Forwarded-For | Original client IP through proxies — trust only from known hops. |
| X-Forwarded-Proto | Whether the client used https; apps use it to build redirects. |
| Authorization | Bearer tokens, Basic — often logged by mistake; avoid logging full values. |
| Content-Length / Transfer-Encoding | Mismatches cause 400 or hung connections. |
Keep-Alive and Timeouts
Section titled “Keep-Alive and Timeouts”Keep-Alive reuses TCP connections for multiple requests. Idle timeouts on ALB, nginx, or API Gateway can close connections while clients still expect them open — symptoms: intermittent connection reset or 502 under load.
Align client, proxy, and server timeouts; health check intervals should be lower than idle cutoff where possible.
TLS Termination
Section titled “TLS Termination”Termination at the load balancer (or Ingress): clients use HTTPS to the edge; traffic to backends may be HTTP (in private network) or HTTPS (re-encrypt). Operators must know:
- Which component holds the certificate (e.g. ACM on ALB — TLS and Certificates).
- Whether SNI is required for shared IPs.
- Whether mTLS is enforced between client and edge, or edge and origin.
End-to-end TLS to the pod is a different model (service mesh, sidecars) — certificate rotation and trust move inward.
Common Failure Modes
Section titled “Common Failure Modes”| Symptom | Checks |
|---|---|
| 403 from WAF | AWS WAF rules, geo blocks, rate limits. |
| 404 only through LB | Wrong path rule, missing Host match, or Ingress backend typo. |
| Redirect loop | HTTP/HTTPS mismatch and X-Forwarded-Proto handling. |
| Large upload fails | Body size limits on proxy or API Gateway; timeout. |
| Works with curl, not browser | CORS is application-layer (not TCP); check API and preflight. |
- curl —
curl -v,-H,--resolveto test SNI and Host. - openssl s_client —
openssl s_client -connect host:443 -servername hostfor TLS handshakes. - Browser devtools — Network tab for status, timing, redirects.
Summary
Section titled “Summary”HTTP at the edge is routing + TLS + timeouts + headers. When logs show a status code, trace which hop generated it (WAF, LB, app) before changing application code.