0

On Chrome, when calling my webpage, I get a err_spdy_protocol_error page. Also, an nginx ssl handshake error is thrown. This got me thinking, why is Chrome using SPDY to call my page and why does it fail? Furthermore, I´ve noticed that, while the page works completely fine on Firefox, it will send an X-Firefox-Spdy with the response with a value of h2. I don´t know why it´s using the SPDY protocol and, furthermore, why it´s causing an error on Chrome and Safari.
Here´s my current nginx configuration, which serves as a proxy to an nginx instance in a docker container: 

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name MYDOMAIN;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/MYDOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/MYDOMAIN/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/MYDOMAIN/dh.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=86400;" always;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/MYDOMAIN/chain.pem;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    location / {
            proxy_pass http://laradock;
    }
}

The ssl certificate & config I´m using is working without any problems on several other subdomains.
I´m using the following proxy upstream:

proxy_http_version 1.1;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade; 
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Scheme $scheme;
proxy_set_header Proxy "";
proxy_ssl_trusted_certificate /etc/letsencrypt/live/MYDOMAIN/cert.pem;
proxy_redirect http:// https://;
add_header Front-End-Https on;
upstream laradock {
     server 127.0.0.1:8089 fail_timeout=0;
}
proxy_read_timeout 1800;
proxy_ignore_client_abort on;
proxy_busy_buffers_size 16k;
proxy_headers_hash_max_size 512;
proxy_buffering on;
proxy_cache_bypass $http_pragma $http_authorization $cookie_nocache;
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_max_body_size 500M;
client_body_buffer_size 128;
types_hash_max_size 4096;

This proxy config is stored in /etc/nginx/snippets/proxy.conf, which I´ve manually included in /etc/nginx/nginx.conf. My laradock nginx configuration (the nginx instance my nginx on my main system proxys all requests to), to serve my php files on that subdomain, is:

server {
    listen 80;
    listen [::]:80;
    server_name MYDOMAIN;
    root /var/www/MYDOMAIN/public;
    index index.php;
    location / {
    try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            try_files $uri $uri/ =404;
            fastcgi_pass php-upstream;
            fastcgi_index index.php;
            fastcgi_buffers 16 16k;
            fastcgi_buffer_size 32k;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            #fixes timeouts
            fastcgi_read_timeout 600;
            include fastcgi_params;
    }
    location ~ /\.ht {
            deny all;
    }
    location /.well-known/acme-challenge/ {
            root /var/www/letsencrypt/;
            log_not_found off;
    }
    error_log /var/log/nginx/laravel_error.log;
    access_log /var/log/nginx/laravel_access.log;
}

Note I´m not serving laravel, but just regular php files. When calling the page over chrome, following error is logged by my first nginx config (the one which serves as a proxy):

 [crit] 15700#15700: *41339 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: X, server: X

followed by:

[crit] 15700#15700: *41437 SSL_do_handshake() failed (SSL: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol) while SSL handshaking, client: X, server: X

In my php files, I add following headers to the response:

header_remove();
header("Cache-Control: max-age=0,no-cache,must-revalidate");
header('Access-Control-Allow-Origin: https://MYOTHERDOMAIN');
header("Connection: keep-alive");
header('Content-Type: application/json');
header('charset=UTF-8');

How can I get rid of those ssl handshake errors and the SPDY protocol error in Chrome (or just disable SPDY entirely?).
I know there are lots of questions out there already talking about possible SPDY error causes, but none of them helped me.

3x071c
  • 113
  • 8
  • Something in front of your server is supporting HTTP/2. Or your config is not that of the server you are connecting to. Either way without figuring that out and giving the correct information it is not possible to answer your question. – Barry Pollard May 23 '19 at 21:02
  • @BarryPollard I haven't got anything in front of my nginx instance on my main system. I can't seem to find a reason why it's using HTTP2. Anyways, why does HTTP2 not work with my configuration? – 3x071c May 30 '19 at 13:05
  • Based on the config you have provided, HTTP/2 is not turned on (you would need `listen 443 ssl http2;` for that, but currently only have `listen 443 ssl;). So the fact Firefox can speak HTTP/2 says that either something is sitting in front of this (e.g. a load balancer, a CDN, a proxy) or the config is not what is being used on this server. So impossible to give further advice until you explain your environment properly I'm afraid. – Barry Pollard May 30 '19 at 16:51

0 Answers0