Nginx HTTP2 IOS 11 not working

Question

i have problems with HTTP2 protocol on my NGINX server, this is my configuration

listen 443 ssl http2;
server_name adomain.com;
root /var/www/project;

limit_req   zone=one  burst=60 nodelay;

add_header Strict-Transport-Security "max-age=2592000; includeSubdomains;" always;
ssl_certificate     /etc/letsencrypt/live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

resolver 8.8.8.8;
ssl_stapling on;
ssl_stapling_verify on;

keepalive_timeout   70;

I can’t see the error on my iOS device (safari 11), it's very strange the webpage is a SPA ( angular ) that app makes requests to an API, the apps loads over HTTP2 but when the app has to make requests to the API it fails, disabling HTTP2 from the listen makes everything works as espected

The ciphers for both servers frontend/backend are the same

In Chrome/Firefox/IE works fine, i don't know what is wrong with Safari or my server config

The error.log and adomain-error.log are empty when Safari fails

Nginx Version

nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

UPDATE

The console on my IPhone says Protocol error so i'm pretty sure that it's an error of the IOS 11

UPDATE 2

I have found this post

https://www.nginx.com/blog/http2-theory-and-practice-in-nginx-stable-13/

It explains that if you support TLSv < 1.2 you will end up in a PROTOCOL ERROR , leaving in my server config just TLSv1.2 makes the app works again, but it's buggy , some requests will fail ... that's beyond my comprehension, once again in Chrome/Firefox it's working but in my mobile safari it doesn't

UPDATE 3 [2019/02/28]

There was a bug on our NGINX config for the OPTIONS Method of a CORS request causing duplicated Content-Length and Content-Type headers to be responded, after we solve that the app started working fine in HTTP/2, we also changed the status of the OPTIONS response from 200 to 204

Do you have any invalid HTTP headers? E.g. forgot to close quotes or with double colons? Safari is particularly prone to errors on those. — Barry Pollard, Dec 16 '17 at 08:55

Logan B. Lehman · Answer 1 · 2018-05-18T00:45:26.527

0

Not sure if this still a problem, and this may not pertain to NGINX the same way as it does Apache, but Apache automatically adds Upgrade headers that was forced clients that don't support HTTP/2 to force themselves to do so (as seen by this bug ticket) - So I would double-check to see if that isn't also happening on this server. At this point in time, any other HTTP/2 issues should have been sussed out in iOS 11 upgrades.

EDIT: The workaround there was to manually delete those headers in Apache. Hope this helps guide you on a direction for nginx.

edited May 18 '18 at 00:45

answered May 18 '18 at 00:10

Logan B. Lehman

101
2

The `Upgrade` header might be the culprit in nginx as well. After removing it with `proxy_hide_header Upgrade;` h2 works with iOS as well. – Keeper Dec 26 '19 at 16:38

score -3 · Answer 2 · answered Dec 12 '17 at 13:23

-3

I faced a similar issue, I use Apache on Windows 2008 R2 with h2 enabled for all virtual hosts and using mod_http2, iOS 11 fails to properly communicate with the server resulting in a protocol error. The fix is to just disable http2 on the server side or revert to http as opposed to https.

answered Dec 12 '17 at 13:23

Vahid Amiri

95
2

2

That is not a fix. That's saying to downgrade and not use HTTP/2 – Rob Dec 12 '17 at 13:30
@Rob Downgrading is the fix. – Vahid Amiri Dec 13 '17 at 05:57

Nginx HTTP2 IOS 11 not working

2 Answers2