0

Traffic to my site is using HTTP1.1, and I want to force the server to only use HTTP/2.

I'm running Windows Server 2016 and IIS 10. I've tried adding

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
    • EnableHttp2Tls: DWORD = 1
    • EnableHttp2ClearText: DWORD = 1

but it is still serving HTTP1.1.

I'm obviously missing something here, but I'm not exactly sure what. Is what I'm asking for even possible?

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
js1983
  • 310
  • 2
  • 12
  • I don't think HTTP 1.1 is going away yet. There are certain things you won't get in HTTP 2.0 and disabling 1.1 can break quite a few existing web apps. But if you do want to test whether your web apps work in HTTP 2.0 only mode, you can use a URL Rewrite rule to abort all HTTP 1.1 requests. – Lex Li Dec 07 '21 at 18:43
  • The issue I'm running into is that my server has been flagged for having an HTTP Request Smuggling vulnerability. I read that this is a possible solution to solve the problem by forcing HTTP2 – js1983 Dec 07 '21 at 19:47
  • I think what @LexLi mentioned is [this answer](https://serverfault.com/q/391356). And you may refer to [this document](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis) and decide if you will insist on using http2.0. – Tiny Wang Dec 08 '21 at 02:46
  • @js1983 did you resolve it? Because I also need this to prevent vulnerability, I've made a question [link](https://stackoverflow.com/questions/73864296/how-to-disable-http-2-downgrading-to-http-1-1-on-tomcat) – Максим Казаченко Sep 27 '22 at 09:03

1 Answers1

0

From ServerFault:

  1. Download and install URL Rewrite.

  2. Add the following to your web.config file, to the <system.webServer> section:

    web.config

    <rewrite>
    <rules>
         <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
             <match url="*" />
             <conditions>
                 <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
             </conditions>
             <action type="AbortRequest" />
         </rule>
     </rules>
 </rewrite>

This will refuse all HTTP 1.0 requests with a HTTP 504 error code.

After installing URL Rewrite, you can also configure rewrite rules in IIS Manager:

enter image description here

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219