enabling mod_http2 results in 302/307 redirect loop

Feb 26, 2017
15
1
3
London
cPanel Access Level
Root Administrator
raising as separate issue:
as soon as mod_http2 is enabled, I get immediate catastrophic failure even of static html page, with a redirect loop as:

Status Code: 302
Referrer Policy: no-referrer-when-downgrade
and
Status Code:307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade
Non-Authoritative-Reason:HSTS

The experimental Mod_Ruid2 option mentioned is off and apparently disabled.
I had mod_pagespeed enabled but uninstalled that.

after disabling mod_http2 everything works normally.
on
CENTOS 6.9 x86_64 xen pv – cPanel & WHM 64.0 (build 32)
 

Gareth-AWD

Well-Known Member
Jul 3, 2008
195
13
68
London, UK
cPanel Access Level
Root Administrator
Not sure if it relates to the version, but I'm also on CentOS 6.9 witht he same issue you're having.

One site worked, the others didn't. I'm going to look at the virtual hosts folder to see if there's any difference between the working site and the sites that didn't.
 
Feb 26, 2017
15
1
3
London
cPanel Access Level
Root Administrator
to add a bit more detail:

The request for https is being redirected to http:
"response": {
"status": 302,
"statusText": "",
"httpVersion": "unknown",
...
"redirectURL": [plain http version]

The request for http then being redirected to https - this is intentional, it is supposed to use secure communication.

.htaccess for homepage has some conditions to redirect insecure requests to https, and also to redirect home page to static file:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.)$ "https:\/\/www.mysite.com\/$1" [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule \.(jpg|jpeg|png|gif|ico|swf|bmp)$ - [nocase,redirect=404,last]
## REDIRECT HOME PAGE FOR EACH LANGUAGE ONLY IF NO QUERY PRESENT ##
RewriteCond %{QUERY_STRING}     ^$
RewriteRule ^/?$ index_en.htm
RewriteCond %{QUERY_STRING}     ^$
RewriteRule ^es/?$ index_es.htm
## END REDIRECT HOME PAGE ##


<IfModule mod_headers.c>
   Header set Strict-Transport-Security max-age=16070400;
</IfModule>
 
Last edited by a moderator:

Gareth-AWD

Well-Known Member
Jul 3, 2008
195
13
68
London, UK
cPanel Access Level
Root Administrator
Mine does it even with no .htaccess (which I deleted to test).

Also my httpd.conf file looks the same as the site that does work and the one that doesn't.

Hope we get to the bottom of this.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Please feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

Gareth-AWD

Well-Known Member
Jul 3, 2008
195
13
68
London, UK
cPanel Access Level
Root Administrator
I will do, but I'm concerted that the sites will go down when the support agent then tries to replicate the issue.

Is there a way to disable http2 for specific accounts so I can fix make affected accounts work?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I will do, but I'm concerted that the sites will go down when the support agent then tries to replicate the issue.

Is there a way to disable http2 for specific accounts so I can fix make affected accounts work?
Yes, you could edit the HTTP2 configuration file located at:

Code:
/etc/apache2/conf.d/http2.conf
The following document explains how to configure it for a single virtual host:

HTTP/2 guide - Apache HTTP Server Version 2.4

Remember to rebuild the Apache configuration file via "/scripts/rebuildhttpdconf" after making any changes.

Thank you.
 
Feb 26, 2017
15
1
3
London
cPanel Access Level
Root Administrator
thanks for advice, I only just saw as I stopped getting email updates on the thread.

I share the same concerns: it's not an active support issue to be raised because I disabled http2 again and I can't have sites down for an extended period of time to investigate.

I was hoping to find some more installation tips around the forums and if not I'll have to see if I can get it running on a separate test account.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I should have also asked what ruleset you're using, but that looks like it's from the OWASP rules, so people using Comodo's CWAF should be unaffected.
 
Feb 26, 2017
15
1
3
London
cPanel Access Level
Root Administrator
hmm.. yes OWASP ModSecurity Core Rule Set seems to include a rule to specifically disable HTTP2.

CRITICAL 302 960034: HTTP protocol version is not allowed by policy

That sounds pretty important to know about before you start installing HTTP2.


If the OWASP is on auto-update and you turn rules off, what happens next time there is an update?
How do you switch to Comodo's CWAF / any particular benefits over OWASP?


960034
#
# Restrict protocol versions.
#
SecRule REQUEST_PROTOCOL "[email protected] %{tx.allowed_http_versions}" "phase:request, t:none, block, msg:'HTTP protocol version is not allowed by policy', severity:'CRITICAL', rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'9', id:'960034', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED', tag:'WASCTC/WASC-21', tag:'OWASP_TOP_10/A6', tag:'PCI/6.5.10', logdata:'%{matched_var}', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I suspect the OWASP rules function the same way as the CWAF rules if you're using them as a vendor; if you disable a rule, it stays disabled when the rule set automatically updates. The reason I started using CWAF instead of OWASP is that I was getting too many false positives with the OWASP rules. That was a long time ago, and it seems like the OWASP rules have vastly improved, but the CWAF rules haven't given me any problems, so I haven't changed.

There are two ways to use Comodo's CWAF: 1) as a vendor in cPanel, and 2) as a plugin. I had problems with the plugin and EA4 updates, so I've been using the CWAF rules as a vendor. You can find instructions for adding the CWAF rules as a vendor on Comodo's site. As noted there, once you've installed them, you should have only one rule set enabled at a time, so you'd need to disable the OWASP rules.

The plugin allows you to select the software you want to include rules for, but if you add the rules as a vendor, you'll have to go through them (end to front works best) and disable the rules you don't need; e.g., for software you don't currently use and know you won't. That is a chore the first time through, but it will reduce the number of rules ModSecurity has to process, and ought to reduce the load on the server. Going forward, you can register for the CWAF Forum and subscribe to the Rules Updates: Changelog thread to be notified when new rules are added. You can search the rules using the CVE number for each rule in the changelog email you receive to quickly find and disable new rules if they aren't for software you're running, making maintaining the ruleset easy.

The other thing I should mention is that CWAF rule# 214920 may need to be disabled because it was causing false positives in the last update, and I haven't seen a notice of a fix. If it needs to be disabled, you'll see multiple hits for it in the ModSecurity Tools Hits List. You can search for the rule number to find and disable it.
 
Feb 26, 2017
15
1
3
London
cPanel Access Level
Root Administrator
thanks for the informative note @linux4me2

http2 is enabled ok after disabling the security rule.

Performance is all over the place though, at times ok, sometimes random stalling loading images or scripts, sometimes page load appears complete but page never displays etc etc - and of course according to Chrome Developer Tools all files are http status ok, no obvious issues on the server either.
This is with html page output caching as well, so no php running, pure Apache.

So after some hours, uninstalled http2 and back to good performance..