The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

enabling mod_http2 results in 302/307 redirect loop

Discussion in 'EasyApache' started by Jonathan Moore, Jul 16, 2017.

Tags:
  1. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    raising as separate issue:
    as soon as mod_http2 is enabled, I get immediate catastrophic failure even of static html page, with a redirect loop as:

    Status Code: 302
    Referrer Policy: no-referrer-when-downgrade
    and
    Status Code:307 Internal Redirect
    Referrer Policy: no-referrer-when-downgrade
    Non-Authoritative-Reason:HSTS

    The experimental Mod_Ruid2 option mentioned is off and apparently disabled.
    I had mod_pagespeed enabled but uninstalled that.

    after disabling mod_http2 everything works normally.
    on
    CENTOS 6.9 x86_64 xen pv – cPanel & WHM 64.0 (build 32)
     
  2. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    Not sure if it relates to the version, but I'm also on CentOS 6.9 witht he same issue you're having.

    One site worked, the others didn't. I'm going to look at the virtual hosts folder to see if there's any difference between the working site and the sites that didn't.
     
  3. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    to add a bit more detail:

    The request for https is being redirected to http:
    "response": {
    "status": 302,
    "statusText": "",
    "httpVersion": "unknown",
    ...
    "redirectURL": [plain http version]

    The request for http then being redirected to https - this is intentional, it is supposed to use secure communication.

    .htaccess for homepage has some conditions to redirect insecure requests to https, and also to redirect home page to static file:
    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.)$ "https:\/\/www.mysite.com\/$1" [R=301,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule \.(jpg|jpeg|png|gif|ico|swf|bmp)$ - [nocase,redirect=404,last]
    ## REDIRECT HOME PAGE FOR EACH LANGUAGE ONLY IF NO QUERY PRESENT ##
    RewriteCond %{QUERY_STRING}     ^$
    RewriteRule ^/?$ index_en.htm
    RewriteCond %{QUERY_STRING}     ^$
    RewriteRule ^es/?$ index_es.htm
    ## END REDIRECT HOME PAGE ##
    
    
    <IfModule mod_headers.c>
       Header set Strict-Transport-Security max-age=16070400;
    </IfModule>
    
    
     
    #3 Jonathan Moore, Jul 16, 2017
    Last edited by a moderator: Jul 17, 2017
  4. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    Mine does it even with no .htaccess (which I deleted to test).

    Also my httpd.conf file looks the same as the site that does work and the one that doesn't.

    Hope we get to the bottom of this.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Please feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  6. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    I will do, but I'm concerted that the sites will go down when the support agent then tries to replicate the issue.

    Is there a way to disable http2 for specific accounts so I can fix make affected accounts work?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, you could edit the HTTP2 configuration file located at:

    Code:
    /etc/apache2/conf.d/http2.conf
    The following document explains how to configure it for a single virtual host:

    HTTP/2 guide - Apache HTTP Server Version 2.4

    Remember to rebuild the Apache configuration file via "/scripts/rebuildhttpdconf" after making any changes.

    Thank you.
     
  8. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    thanks for advice, I only just saw as I stopped getting email updates on the thread.

    I share the same concerns: it's not an active support issue to be raised because I disabled http2 again and I can't have sites down for an extended period of time to investigate.

    I was hoping to find some more installation tips around the forums and if not I'll have to see if I can get it running on a separate test account.
     
  9. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    My issue was resolved by support.

    It was a mod_security rule that didn't understand the new protocol and then redirected it.
     
    cPanelMichael likes this.
  10. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Which mod_security rule (ID number) was it?
     
  11. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    oh right, you don't happen to know what exactly was done to fix it then, to advise others that may be in the same situation..?
     
  12. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    Sorry, should of said.

    They disabled rule 960034
     
  13. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I should have also asked what ruleset you're using, but that looks like it's from the OWASP rules, so people using Comodo's CWAF should be unaffected.
     
  14. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    hmm.. yes OWASP ModSecurity Core Rule Set seems to include a rule to specifically disable HTTP2.

    CRITICAL 302 960034: HTTP protocol version is not allowed by policy

    That sounds pretty important to know about before you start installing HTTP2.


    If the OWASP is on auto-update and you turn rules off, what happens next time there is an update?
    How do you switch to Comodo's CWAF / any particular benefits over OWASP?


    960034
    #
    # Restrict protocol versions.
    #
    SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:request, t:none, block, msg:'HTTP protocol version is not allowed by policy', severity:'CRITICAL', rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', id:'960034', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A6', tag:'PCI/6.5.10', logdata:'%{matched_var}', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
     
  15. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I suspect the OWASP rules function the same way as the CWAF rules if you're using them as a vendor; if you disable a rule, it stays disabled when the rule set automatically updates. The reason I started using CWAF instead of OWASP is that I was getting too many false positives with the OWASP rules. That was a long time ago, and it seems like the OWASP rules have vastly improved, but the CWAF rules haven't given me any problems, so I haven't changed.

    There are two ways to use Comodo's CWAF: 1) as a vendor in cPanel, and 2) as a plugin. I had problems with the plugin and EA4 updates, so I've been using the CWAF rules as a vendor. You can find instructions for adding the CWAF rules as a vendor on Comodo's site. As noted there, once you've installed them, you should have only one rule set enabled at a time, so you'd need to disable the OWASP rules.

    The plugin allows you to select the software you want to include rules for, but if you add the rules as a vendor, you'll have to go through them (end to front works best) and disable the rules you don't need; e.g., for software you don't currently use and know you won't. That is a chore the first time through, but it will reduce the number of rules ModSecurity has to process, and ought to reduce the load on the server. Going forward, you can register for the CWAF Forum and subscribe to the Rules Updates: Changelog thread to be notified when new rules are added. You can search the rules using the CVE number for each rule in the changelog email you receive to quickly find and disable new rules if they aren't for software you're running, making maintaining the ruleset easy.

    The other thing I should mention is that CWAF rule# 214920 may need to be disabled because it was causing false positives in the last update, and I haven't seen a notice of a fix. If it needs to be disabled, you'll see multiple hits for it in the ModSecurity Tools Hits List. You can search for the rule number to find and disable it.
     
  16. Jonathan Moore

    Joined:
    Feb 26, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    thanks for the informative note @linux4me2

    http2 is enabled ok after disabling the security rule.

    Performance is all over the place though, at times ok, sometimes random stalling loading images or scripts, sometimes page load appears complete but page never displays etc etc - and of course according to Chrome Developer Tools all files are http status ok, no obvious issues on the server either.
    This is with html page output caching as well, so no php running, pure Apache.

    So after some hours, uninstalled http2 and back to good performance..
     
Loading...

Share This Page