Welcome! Log In Create A New Profile

Advanced

HTTP/2 stream 1 was not closed cleanly

Posted by Gregory Storme 
Gregory Storme
HTTP/2 stream 1 was not closed cleanly
December 04, 2017 01:40PM
Hi,

I'm trying to enable http2 on a frontend, I added:

bind x.x.x.x:443 ssl crt /etc/ssl/private/letsencrypt_staging.pem alpn h2,http/1.1

I get a ERR_SPDY_PROTOCOL_ERROR when browsing the site.
Chrome net-internals log:

t=580016 [st=7] -HTTP_TRANSACTION_SEND_REQUEST
t=580016 [st=7] +HTTP_TRANSACTION_READ_HEADERS [dt=1]
t=580017 [st=8] HTTP2_STREAM_ERROR
--> description = "Server reset stream with error INTERNAL_ERROR."
--> net_error = "ERR_SPDY_PROTOCOL_ERROR"
--> stream_id = 3

curl -I --http2 https://my_website
curl: (92) HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2)

Haproxy log:
staging~ staging_servers/web003 0/0/-1/-1/0 503 1164 - - CC-- 1/1/0/0/0 0/0 {} "GET / HTTP/1.1"

haproxy -vv
HA-Proxy version 1.8.0-2~bpo8+1 2017/12/02
Copyright 2000-2017 Willy Tarreau <[email protected]>

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2l 25 May 2017
Running on OpenSSL version : OpenSSL 1.0.2l 25 May 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.35 2014-04-04
Running on PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Willy Tarreau
Re: HTTP/2 stream 1 was not closed cleanly
December 04, 2017 06:40PM
Hi Gregory,

On Mon, Dec 04, 2017 at 12:34:44PM +0000, Gregory Storme wrote:
> Hi,
>
> I'm trying to enable http2 on a frontend, I added:
>
> bind x.x.x.x:443 ssl crt /etc/ssl/private/letsencrypt_staging.pem alpn h2,http/1.1
>
> I get a ERR_SPDY_PROTOCOL_ERROR when browsing the site.
> Chrome net-internals log:
>
> t=580016 [st=7] -HTTP_TRANSACTION_SEND_REQUEST
> t=580016 [st=7] +HTTP_TRANSACTION_READ_HEADERS [dt=1]
> t=580017 [st=8] HTTP2_STREAM_ERROR
> --> description = "Server reset stream with error INTERNAL_ERROR."
> --> net_error = "ERR_SPDY_PROTOCOL_ERROR"
> --> stream_id = 3
>
> curl -I --http2 https://my_website
> curl: (92) HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2)
>
> Haproxy log:
> staging~ staging_servers/web003 0/0/-1/-1/0 503 1164 - - CC-- 1/1/0/0/0 0/0 {} "GET / HTTP/1.1"

This request was not served and ended up in 503 (no server). Would you
happen to have redefined "errorfile 503" in your config ? The only case
I'm seeing where we can close this way is on contents that the HTTP/1
parser wouldn't accept (invalid response headers, broken chunking, stuff
like this). So this very closely ressembles an errorfile mapped to
something not normal.

> haproxy -vv
> HA-Proxy version 1.8.0-2~bpo8+1 2017/12/02

A significant number of h2 and HPACK fixes were merged since, but nothing
which should affect this.

Willy
Vincent Bernat
Re: HTTP/2 stream 1 was not closed cleanly
December 04, 2017 07:50PM
❦ 4 décembre 2017 12:34 GMT, Gregory Storme <[email protected]> :

> haproxy -vv
> HA-Proxy version 1.8.0-2~bpo8+1 2017/12/02

If you want to try with 1.8.1, it has just been uploaded.
--
Lord, what fools these mortals be!
-- William Shakespeare, "A Midsummer-Night's Dream"
Gregory Storme
Re: HTTP/2 stream 1 was not closed cleanly
December 05, 2017 12:00AM
Hi,

Fixed by removing "option abortonclose" from the defaults section.

Thanks

________________________________
From: Vincent Bernat <[email protected]>
Sent: Monday, December 4, 2017 7:44 PM
To: Gregory Storme
Cc: haproxy@formilux.org
Subject: Re: HTTP/2 stream 1 was not closed cleanly

❦ 4 décembre 2017 12:34 GMT, Gregory Storme <[email protected]> :

> haproxy -vv
> HA-Proxy version 1.8.0-2~bpo8+1 2017/12/02

If you want to try with 1.8.1, it has just been uploaded.
--
Lord, what fools these mortals be!
-- William Shakespeare, "A Midsummer-Night's Dream"
Willy Tarreau
Re: HTTP/2 stream 1 was not closed cleanly
December 07, 2017 07:30PM
Hi,

On Mon, Dec 04, 2017 at 10:56:22PM +0000, Gregory Storme wrote:
> Hi,
>
> Fixed by removing "option abortonclose" from the defaults section.

There's indeed an incompatibility between abortonclose and H2 which
I don't yet know how to solve, I guess we'll have to move that option
from the proxy to the stream being served and invalidate it when running
from H2. The reason is the difference in behaviour in browsers between
H1 and H2 :
- in H1, when the user clicks "stop", the browser can only send a
shutdown(write) which results in an end of stream being detected.
Option abortonclose then serves to turn this received close into
an abort request.

- in H2, we do have this abort signal via the RST_STREAM frame, and
requests carry an end of stream signal to indicate the request is
complete (headers and optionally payload). In this case we must not
use abortonclose, it never is a valid indicator that the user clicked
on stop.

For now the best we could do would be to document it but I fear
ossification, so I'd rather address it at the root so that abortonclose
doesn't have this undesired effect on H2.

Regards,
Willy
Sorry, only registered users may post in this forum.

Click here to login