Hello,
I just found out the hard way that HTTP2 has a great new feature that
intentionally misdirects requests to the wrong domain. I'm using Apache
on Ubuntu 20.04 with Virtual Hosts, a single shared IPv4 address (what
else can you do these days), HTTP2 and HTTPS. Some of these domains use
the same wildcard certificate for the main domain and subdomains. Some
of these virtual hosts also use a reverse proxy to a backend application
server.
When I open both these sites after another in Firefox, I always get the
same content, even redirecting the second called domain back to the
first. So that HTTP2 connection coalescing thing is clearly a critical
bug in the spec or somewhere else that is expected to be worked around
by each and every webserver admin. How sad. They did say they wanted to
make it quicker. No word on safer or more reliable. Every optimisation
is a tradeoff, this time it broke things.
How should I do this now? I have the option to disable HTTP2 and deny
the progress. It immediately resolves the issue. Or I could somehow
somewhere make Apache respond with that 421 status code that teaches the
browsers that this feature is bad and they should not use it. How could
this be done? I wasn't able to find any resources about that. All sites'
config files look similar to this:
Listen [...IPv6...]:80
<VirtualHost ...SharedIPv4...:80 [...IPv6...]:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/path
RewriteEngine on
# Redirection
RewriteRule ^/(.*) https://example.com/$1 [L,R=301]
<Directory "/var/www/example/path">
Options +IncludesNOEXEC
</Directory>
# CGI/PHP (optional)
SuexecUserGroup example webusers
FcgidWrapper /var/www/php-bin/example/php-fcgi .php
AddHandler fcgid-script .php
# ASP.NET app (optional)
ProxyPass "/" "http://127.0.0.1:7001/"; retry=5
ProxyPassReverse "/" "http://127.0.0.1:7001/";
ProxyPreserveHost on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:7001%{REQUEST_URI} [P]
RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>
Listen [...IPv6...]:443
<VirtualHost ...SharedIPv4...:443 [...IPv6...]:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/path
RewriteEngine on
# Redirection
RewriteCond %{HTTP_HOST} !^example\.com(:443)?$ [NC]
RewriteCond %{HTTP_HOST} !=""
RewriteRule ^/(.*) https://example.com/$1 [L,R=301]
<Directory "/var/www/example/path">
Options +IncludesNOEXEC
</Directory>
# CGI/PHP (optional)
SuexecUserGroup example webusers
FcgidWrapper /var/www/php-bin/example/php-fcgi .php
AddHandler fcgid-script .php
# ASP.NET app (optional)
ProxyPass "/" "http://127.0.0.1:7001/"; retry=5
ProxyPassReverse "/" "http://127.0.0.1:7001/";
ProxyPreserveHost on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:7001%{REQUEST_URI} [P]
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/ssl/private/example.com
SSLCertificateKeyFile /etc/ssl/private/example.com
</VirtualHost>
-Yves
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
