nginx and http/2
zxcvbn4038 at gmail.com
Sun Jun 26 01:00:37 UTC 2016
I could use some help with this one - I took a big leap with enabling
http/2 support and I got knocked back really quick. There seems to be an
issue with POSTs and it seems to be more pronounced with ios devices (as
much as you can trust user agents) but there were some non-ios devices that
seemed to be having issues also. Unfortunately I had to pull the changes
quickly so I didn't get to capture too much debugging information (plus all
the connections were via tls 1.2 w/ diffie-hellman so even if I had quickly
taken a packet dump I wouldn't have been able to decrypt it).
So I built a version of curl with http/2 support to try and reproduce:
curl 7.49.1 (x86_64-pc-linux-gnu) libcurl/7.49.1 OpenSSL/1.0.2h
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP HTTP2 UnixSockets
I did a test POST request with http/1 and I got a 200 response.
I did the same POST request via http/2 and the tls handshake completed but
the connection was closed shortly thereafter. The error I see in the log
file is "client sent stream with data before settings were acknowledged
while processing HTTP/2 connection" I see other references to this error on
POST requests when I googled for it, but I didn't see a solution. This
sounds like an interoperability issue but I'd be shocked if I'm the first
one to find something like that.
This is also different then the errors I was seeing earlier in the week -
in those cases it looked like nginx as receiving the POST requests via
http/2, and forwarding to an HAProxy upstream via http/1.1. From there the
requests were dispatched to servers, also via http/1.1. One set of backend
servers seemed to be getting duplicate requests (but only of requests that
originated as HTTP/2 POSTs) and the other set running a java service seemed
to dislike the content received and they were closing the connections. I'm
still trying to reproduce those transactions in a dev environment w/
diffie-hellman disabled so I can get a packet capture and get a better idea
of what is happening.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx