I have an AWS setup that is not being reliable and I'm trying to figure out why. For background - the site is new and just being tested among our team, but it has persistent problems for some of our people depending on their device, mainly it seems on iPhones across browsers. My problem is these team members are remote and when I look at my logs - it appears everything is working and I'm also unable to reproduce the bug locally.

The setup is:

  • A Route 53 domain aliased to the Application Load Balancer

  • An AWS Application Load Balancer (logs Below) open to external connections for HTTP and HTTPS with an automatic redirect to HTTPS.

  • Two (now one - for easier debugging) EC2s running a LAMP stack in Apache only open to the Balancer's security group (logs below)

The load balancer log (excerpt - just the line from the iPhone that can't connect):

h2 2019-02-15T14:35:51.824359Z app/MYAPP/aa921ed4d3be346d 0.001 0.441 0.000 200 200 299 41462 "GET https://www.example.com:443/ HTTP/2.0" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/72.0.3626.101 Mobile/15E148 Safari/605.1" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:495989323513:targetgroup/MYAPPHTTPINTERNALFROMLOADTOEC2/29d1b899c1f7c0b0 "Root=1-5c66ce47-0d87c4f5e9227744bf3cc78e" "www.example.com" "arn:aws:acm:us-east-1:495989323513:certificate/466810d1-3797-4abf-ba26-0865cb14e5b6" 0 2019-02-15T14:35:51.267000Z "forward" "-" "-"

h2 2019-02-15T14:35:52.021618Z app/MYAPP/aa921ed4d3be346d 0.001 0.001 0.000 200 200 208 336 "GET https://www.example.com:443/favicon.ico HTTP/2.0" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/72.0.3626.101 Mobile/15E148 Safari/605.1" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:495989323513:targetgroup/MYAPPHTTPINTERNALFROMLOADTOEC2/29d1b899c1f7c0b0 "Root=1-5c66ce48-b28a362cbdcf892c54bfc23a" "www.example.com" "arn:aws:acm:us-east-1:495989323513:certificate/466810d1-3797-4abf-ba26-0865cb14e5b6" 0 2019-02-15T14:35:52.019000Z "forward" "-" "-"

The apache log: - - [15/Feb/2019:14:35:51 +0000] "GET / HTTP/1.1" 200 85507 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/72.0.3626.101 Mobile/15E148 Safari/605.1" - - [15/Feb/2019:14:35:52 +0000] "GET /favicon.ico HTTP/1.1" 200 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like MacOS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/72.0.3626.101 Mobile/15E148 Safari/605.1

I'm having a hard time here because it appears the connections have status 200.

The guide to reading the ELB log is here - AWS ELB Access Log

The guide to reading the Apache log is here - Apache Access Log

Notice the apache log shows no size of the object being returned to the client for the favicon but that's because it doesn't exist for this site yet.

The apache error log has nothing nor does the application error log. I connect to it fine - just my members with iPhones do not (I'm not even sure the iPhone makes the difference - could just be coincidence).

The error is this:


My Apache Setup is just the default httpd.conf with the root directory changed to serve my site.

Here it is (only with the lines I changed):

DocumentRoot "/var/www/html/myapp/public/"
# Relax access to content within /var/www.
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted

# Further relax access to the default document root:
<Directory "/var/www/html/myapp/public">
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    Options Indexes FollowSymLinks

    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    AllowOverride All

    # Controls who can get stuff from this server.
    Require all granted

Again it works for me and it works for this member on his desktop, but not on his (and some other members) iPhones.

Looking for additional debugging help, thank you.

I definitely think it's either a load balancer or a route 53 problem because when this iPhone connects directly to the ec2 via it's IP (when I relax the security group settings there temporally) it loads the page fine...

Hmmm... I think it has to do with this : https://stackoverflow.com/questions/47962233/unable-to-access-website-on-safari-ios

Summer Developer
  • 160
  • 1
  • 13

1 Answers1


It was this: HTTPS doesn't work with Safari

Add the following to your httpd.conf to fix:

 <IfModule mod_http2.c>
    Protocols h2 http/1.1
    Header unset Upgrade
Summer Developer
  • 160
  • 1
  • 13