Join the community today
Register Now

SSL http2 not enabled - possible bug

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Mar 27, 2020.

Tags:
  1. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    Hello,

    I want to enable http2.

    The tests by HTTP/2 Test - Verify HTTP/2 Support | KeyCDN Tools
    shows
    HTTP/2 protocol is supported.
    ALPN extension is supported.

    but then I will enable Developer Tools in Chrome there is info that protocol http1.1 is used.


    I have two VPS, 1st with custom nginx template and 2nd one.
    The second VPS: I was using option 22, so everything was configured automatically. There is no http2 too.

    1st VPS: I nginx config

    Code (Text):
    server {
      listen 443 ssl http2;


    VPS 2 with 22 option and Wordpress

    Code (Text):
    server {
      listen 443 ssl http2 reuseport;



    Why the http2 is not enabled?
    How to enable it?



    Current Nginx Version: 1.17.8
    PHP 7.3.14



    More interesting things is when I am checking
    Code (Text):
    nghttp -nv https://www.domain.com:443

    There is info: The negotiated protocol: h2

    but Developers tools show something different.

    The same situation is on this forum
    Code:
    https://community.centminmod.com
    Please have a look HTTP/1.1 not H2:

    upload_2020-3-27_0-22-9.png



    @eva2000 is is a bug?

    Please have a look that other resources are h2.
    H2 like https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js
    Only HTTP/1.1 not H2.


    PS.
    My 3rd VPS where is copy of webiste is OK
    But there are old php
    PHP 7.2.28
    nginx version: nginx/1.17.9

    and on the 3rd VPS I can see H2 on the Developer Tools.
     
    Last edited: Mar 27, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    For Chome devtools reported, Centmin Mod forum uses Service Worker caching so it speaks HTTP/1.1 between your web browser and the Service Worker so normal. See Added Forum PWA Mode For Page Speed Improvements.

    Network dev tools 1st request is Service worker pre-caching talking HTTP/1.1 between the web browser and Service worker installed within the visitor's browser and then a network request for revalidation check between Service worker and Cloudflare protected origin via HTTP/2

    upload_2020-3-27_9-45-47.png

    For your situation are you using Cloudflare free or pro plan ? Without domain names hard to see but you should be able check via SSH command below replacing with your domain you want to test
    Code (Text):
    curl -4Iv https://community.centminmod.com

    result output will show = HTTP/2 200
    Code (Text):
    curl -4Iv https://community.centminmod.com
    *   Trying 104.22.35.139:443...
    * Connected to community.centminmod.com (104.22.35.139) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: none
      CApath: none
    * loaded libnssckbi.so
    * ALPN, server accepted to use h2
    * SSL connection using TLS_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=centminmod.com,O="Cloudflare, Inc.",L=San Francisco,ST=CA,C=US
    *       start date: Mar 10 00:00:00 2020 GMT
    *       expire date: Oct 09 12:00:00 2020 GMT
    *       common name: centminmod.com
    *       issuer: CN=CloudFlare Inc ECC CA-2,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x10ed710)
    > HEAD / HTTP/2
    > Host: community.centminmod.com
    > user-agent: curl/7.69.1
    > accept: */*
    >
    * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
    < HTTP/2 200
    HTTP/2 200
    

    For posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  3. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    I am using Free Plan for VPS2 for blogs.

    But for VPS 2 and 3 I do not use Cloud Flare.
    There are copy of webiste and on VPS3 there is H2 (php 7.2)
    but on VPS1 there is NO h2.


    VPS1 CoudFlare Wordpress no H2
    VPS2 NO CouldFlare, no H2
    VPS3 NO CouldFlare, H2 but thre is php 7.2


    Why 1 time Chrome Webmaster Tool show h2?
    I will double check.
     
  4. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    Interesting I have no http2 for your link.

    Code (Text):
    curl -4Iv https://community.centminmod.com
    * About to connect() to community.centminmod.com port 443 (#0)
    *   Trying 104.22.34.139...
    * Connected to community.centminmod.com (104.22.34.139) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=centminmod.com,O="Cloudflare, Inc.",L=San Francisco,ST=CA,C=US
    *       start date: Mar 10 00:00:00 2020 GMT
    *       expire date: Oct 09 12:00:00 2020 GMT
    *       common name: centminmod.com
    *       issuer: CN=CloudFlare Inc ECC CA-2,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: community.centminmod.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Date: Thu, 26 Mar 2020 23:45:44 GMT
    Date: Thu, 26 Mar 2020 23:45:44 GMT
    < Content-Type: text/html; charset=UTF-8
    Content-Type: text/html; charset=UTF-8
    < Connection: keep-alive
    Connection: keep-alive
    < Set-Cookie: __cfduid=d540754311ed7be1f6a0de910ee61ee461585266344; expires=Sat, 25-Apr-20 23:45:44 GMT; path=/; domain=.centminmod.com; HttpOnly; SameSite=Lax
    Set-Cookie: __cfduid=d540754311ed7be1f6a0de910ee61ee461585266344; expires=Sat, 25-Apr-20 23:45:44 GMT; path=/; domain=.centminmod.com; HttpOnly; SameSite=Lax
    < CF-Ray: 57a4bf3f1a5bc2b8-FRA
    CF-Ray: 57a4bf3f1a5bc2b8-FRA
    < Age: 629
    Age: 629
    < Cache-Control: public, max-age=1200
    Cache-Control: public, max-age=1200
    < Expires: Fri, 27 Mar 2020 00:05:44 GMT
    Expires: Fri, 27 Mar 2020 00:05:44 GMT
    < Strict-Transport-Security: max-age=31536000; includeSubdomains
    Strict-Transport-Security: max-age=31536000; includeSubdomains
    < Vary: Accept-Encoding
    Vary: Accept-Encoding
    < CF-Cache-Status: HIT
    CF-Cache-Status: HIT
    < CF-CacheTime: 1200
    CF-CacheTime: 1200
    < CF-Default-Rule: 1
    CF-Default-Rule: 1
    < CF-Req-Country: DE
    CF-Req-Country: DE
    < CF-TLS: TLSv1.2
    CF-TLS: TLSv1.2
    < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    < Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
    Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
    < Referrer-Policy: strict-origin-when-cross-origin
    Referrer-Policy: strict-origin-when-cross-origin
    < X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    < X-Frame-Options: SAMEORIGIN
    X-Frame-Options: SAMEORIGIN
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < X-Xss-Protection: 1
    X-Xss-Protection: 1
    < Server: cloudflare
    Server: cloudflare
    < alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
    alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
    
    <
    * Connection #0 to host community.centminmod.com left intact
    







    Code (Text):
    PING community.centminmod.com 104.22.35.139





    my domain respond below:

    Code (Text):
     Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=domain.com
    *       start date: Jan 14 19:05:16 2020 GMT
    *       expire date: Apr 13 19:05:16 2020 GMT
    *       common name: domain.com
    *       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.domain.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    [/CODE]
     
    Last edited: Mar 27, 2020
  5. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Could be you're using curl 7.29 while i used curl 7.69 so older might not support HTTP/2

    with curl 7.29 no HTTP/2 support
    Code (Text):
    curl -4Iv https://community.centminmod.com
    * About to connect() to community.centminmod.com port 443 (#0)
    *   Trying 104.22.34.139...
    * Connected to community.centminmod.com (104.22.34.139) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=centminmod.com,O="Cloudflare, Inc.",L=San Francisco,ST=CA,C=US
    *       start date: Mar 10 00:00:00 2020 GMT
    *       expire date: Oct 09 12:00:00 2020 GMT
    *       common name: centminmod.com
    *       issuer: CN=CloudFlare Inc ECC CA-2,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: community.centminmod.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    

    so CentOS 7 default curl 7.29 doesn't support testing with HTTP/2 which is separate from Nginx HTTP/2 server side support.
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    post output for this command for all 3 VPS servers of yours
    Code (Text):
    nginx -V
    
     
  7. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    I have used the same browser now.
    I have the same situation like for the forum.

    All resources from my domain are http1.1 only 3rd party are h2.

    Why it happen?
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    as nghttp client supports HTTP/2, that means your domain supports HTTP/2 has h2 protocol was negotiated. So Problem is in your web browser's support for HTTP/2. If you have anti-virus software which intercepts HTTPS requests in a man in the middle eaves dropping, then what you see could be anti-virus software on your system/browser connection via your anti-virus server proxy which maybe HTTP/1.1 as it allows anti-virus to eaves drop on your HTTPS connections.
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what is output for http2 not enabled - possible bug
     
  10. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    I think i was false positive with VPS3, but on both PC i have the same browser
    Version 80.0.3987.149 (Official Build) (64-bit)


    When I use hosts to connect directly to the second server I have http1.1 too.
    But when I use my USA VPS with windows to connect to US page there is H2.
    Weird.
     
  11. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    VPS3 whern from one VPS with windows I can see h2, but with my PC when I use IP and hosts file to connect to USA VPS I see http1.1.

    VPS3:

    Code (Text):
    nginx -V
    nginx version: nginx/1.17.9 (060320-023247-centos7-kvm-9e5afa5)
    built by gcc 8.3.1 20190311 (Red Hat 8.3.1-3) (GCC)
    built with OpenSSL 1.1.1d  10 Sep 2019
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib -flto=2 -fuse-ld=gold' --with-cc-opt='-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto=2 -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=060320-023247-centos7-kvm-9e5afa5 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1d --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3 -fuse-ld=gold'
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That could be why. If you remove IP host file to setting do you see HTTP/2 ?
     
  13. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    George I have check community.centminmod.com on my VPS with windows and there it show h2 for community.centminmod.com.

    It is very weird my maybe my Bitdefender block it.


    But why it do not block other connections and 3rd party connections are as H2?

    upload_2020-3-27_1-11-44.png
     
  14. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Bitdefender is MITM your HTTPS requests Talk:Bitdefender - Wikipedia"MITM_attack"

    https://www.zdnet.com/article/googl...to-av-and-security-firms-stop-trashing-https/

    You'd have to turn of Bitdefender's MITM settings
     
  15. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  16. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    Ok I have found the problem. Bidefender block most of SSL.
    Possible non Letsencrypt SSL was OK.

    upload_2020-3-27_1-17-32.png

    I have turned off this and now all links are as H2.

    It is very weird problem. Possible slow down webistes for Bitdefender users.
     
  17. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    I have double check everything and it is OK. On every VPS is H2.
    I am sorry for false positive alert.
    This Bitdefender is ..... I will not end.
     
  18. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah some anti-virus software are doing bad things by intercepting HTTPS requests via MITM.
     
  19. adamus007p

    adamus007p Member

    248
    14
    18
    Feb 8, 2019
    Ratings:
    +24
    Local Time:
    3:24 AM
    Last thing George how to check if brotli is enabled?

    and

    How to use
    curl -4Iv with my Centos?

    How to update it?



    Thank you for your help. I thought that is a bug, but the bug is in Bitdefender.
     
  20. eva2000

    eva2000 Administrator Staff Member

    44,749
    10,202
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,811
    Local Time:
    11:24 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    brotli can be checked in network dev tools asset request's header response for content-encoding = br

    or via curl
    Code (Text):
    curl -4I -H 'Accept-Encoding:br' https://community.centminmod.com

    look for content-encoding: br
    Code (Text):
    curl -4I -H 'Accept-Encoding:br' https://community.centminmod.com
    HTTP/2 200
    date: Fri, 27 Mar 2020 00:27:23 GMT
    content-type: text/html; charset=UTF-8
    set-cookie: __cfduid=dbf28232a29662b28a6236e77efb2ad811585268843; expires=Sun, 26-Apr-20 00:27:23 GMT; path=/; domain=.centminmod.com; HttpOnly; SameSite=Lax
    cf-ray: 57a4fc3ed964c5ec-EWR
    age: 483
    cache-control: public, max-age=1200
    expires: Fri, 27 Mar 2020 00:47:23 GMT
    strict-transport-security: max-age=31536000; includeSubdomains
    vary: Accept-Encoding
    cf-cache-status: HIT
    cf-cachetime: 1200
    cf-default-rule: 1
    cf-req-country: CA
    cf-tls: TLSv1.3
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
    referrer-policy: strict-origin-when-cross-origin
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-powered-by: centminmod
    x-xss-protection: 1
    server: cloudflare
    content-encoding: br
    alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400