Keep-Alive Connections in http2

[01i]

I'm running DirectAdmin with OpenLiteSpeed on a CloudLinux VM.

iPhone Safari users have been reporting problems, either a plain white screen of death, or the NSPOSIXErrorDomain:100 error.

Testing my server via curl, it's returning a Keep-Alive connection header with an http2 response, which is apparently invalid, and causes Safari to error out.

# curl -vL --head https://www.sgtsmess.co.uk
* Trying 116.203.194.196:443...
* Connected to www.sgtsmess.co.uk (116.203.194.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mail.sgts-mess.co.uk
* start date: Oct 10 21:19:01 2020 GMT
* expire date: Jan 8 21:19:01 2021 GMT
* subjectAltName: host "www.sgtsmess.co.uk" matched cert's "www.sgtsmess.co.uk"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xecc440)
> HEAD / HTTP/2
> Host: www.sgtsmess.co.uk
> user-agent: curl/7.73.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [connection], value: [Keep-Alive]
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host www.sgtsmess.co.uk left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

Does anyone know which config file I need to edit to prevent the Keep-Alive header on an http2 connection?

 

[scriptkitty]

Looks like OLS may need to be bumped on this: https://forum.openlitespeed.org/threads/connection-keep-alive-header.4648/

However, I just installed OLS on my server to test this. Here is the output from curl using http and using https(which is automatically upgraded to http2):


~$ curl -kIlLs https://n3rd.ga
HTTP/2 200
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 06:02:54 GMT
server: LiteSpeed

~$ curl -kIlLs http://n3rd.ga
HTTP/1.1 200 OK
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 06:03:22 GMT
server: LiteSpeed
connection: Keep-Alive


The Keep-Alive connection header is only specified on the http url and not the https url. Is it possible that the header has been set elsewhere? If not...
Per Litespeed docs:

“Keep-alive” is server level configuration and can not be controlled at virtual host level. Setting Max Keep-Alive Requests to “0” will disable “keep-alive”.

To edit the configuration accordingly so that it is preserved with CustomBuild updates:

mkdir -p /usr/local/directadmin/custombuild/custom/openlitespeed/conf/
cp -a /usr/local/directadmin/custombuild/configure/openlitespeed/conf/httpd-tuning.conf /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-tuning.conf 
sed -i.bak 's/maxKeepAliveReq              10000/maxKeepAliveReq              0/' /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-tuning.conf
mv /usr/local/lsws/conf{,.bak}
./build openlitespeed

Now, upon testing, I get the following result with my domain:


~$ curl -kIlLs http://n3rd.ga
HTTP/1.1 200 OK
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 07:24:44 GMT
server: LiteSpeed
connection: close

I hope this helps!

 

[01i]

Looks like OLS may need to be bumped on this: https://forum.openlitespeed.org/threads/connection-keep-alive-header.4648/

However, I just installed OLS on my server to test this. Here is the output from curl using http and using https(which is automatically upgraded to http2):


~$ curl -kIlLs https://n3rd.ga
HTTP/2 200
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 06:02:54 GMT
server: LiteSpeed

~$ curl -kIlLs http://n3rd.ga
HTTP/1.1 200 OK
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 06:03:22 GMT
server: LiteSpeed
connection: Keep-Alive


The Keep-Alive connection header is only specified on the http url and not the https url. Is it possible that the header has been set elsewhere? If not...
Per Litespeed docs:

“Keep-alive” is server level configuration and can not be controlled at virtual host level. Setting Max Keep-Alive Requests to “0” will disable “keep-alive”.

To edit the configuration accordingly so that it is preserved with CustomBuild updates:

mkdir -p /usr/local/directadmin/custombuild/custom/openlitespeed/conf/
cp -a /usr/local/directadmin/custombuild/configure/openlitespeed/conf/httpd-tuning.conf /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-tuning.conf
sed -i.bak 's/maxKeepAliveReq              10000/maxKeepAliveReq              0/' /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-tuning.conf
mv /usr/local/lsws/conf{,.bak}
./build openlitespeed

Now, upon testing, I get the following result with my domain:


~$ curl -kIlLs http://n3rd.ga
HTTP/1.1 200 OK
etag: "25a-5d91a02b-c40999;;;"
last-modified: Mon, 30 Sep 2019 06:26:51 GMT
content-type: text/html
content-length: 602
accept-ranges: bytes
date: Fri, 13 Nov 2020 07:24:44 GMT
server: LiteSpeed
connection: close

I hope this helps!

I actually think that I timed this thread perfectly. I went looking through the recent other threads after posting, and it really sounds like the issue has been patched in 1.7.6. After updating and clearing the cache, I no longer get the error, although I didn't test to see if clearing the cache temporarily resolves it first, so we'll see if it lasts

V1.7.6 release availability

Hello, Is there any way to upgrade OLS before the new version is available through custombuild? There is a bug fix that I would like to roll out ASAP since it's impacting may clients: [Bug Fix] Add ‘connection’ header to cache module Bypass Header list so that cache can work with HTTP/2 for...

forum.directadmin.com

 

[scriptkitty]

I actually think that I timed this thread perfectly. I went looking through the recent other threads after posting, and it really sounds like the issue has been patched in 1.7.6. After updating and clearing the cache, I no longer get the error, although I didn't test to see if clearing the cache temporarily resolves it first, so we'll see if it lasts

V1.7.6 release availability

Hello, Is there any way to upgrade OLS before the new version is available through custombuild? There is a bug fix that I would like to roll out ASAP since it's impacting may clients: [Bug Fix] Add ‘connection’ header to cache module Bypass Header list so that cache can work with HTTP/2 for...

forum.directadmin.com

Even better! Do keep us posted if the error reoccurs, please!