Try to change from http1.1 to http2

Tom63 · January 31, 2017, 6:42pm

Sorry to hear you’re facing problems

If you’re urgently looking for support to keep your business running, consider checking out our paid support options.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the following as you can (you can cut and paste this into your topic):

Nextcloud version 11.0.1:
Operating system and version Ubuntu 16.04:
nginx version nginx 1.10.0:
PHP version 7.0.13:
Is this the first time you’ve seen this error and can you replicate it?:
Yes

The issue you are facing:
I tried to change from http1.1 to http2.
I added in nginx only http2 to the line where my ssl is
With that configuration nextcloud works with chromium but in firefox there is nothing happen.
If I change back to http1.1 all is working perfect

The output of your Nextcloud log in Admin > Logging:
No log file

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php $CONFIG = array ( 'instanceid' => 'oc2bcxz77sgy', 'passwordsalt' => 'CeU/hf52Ajy0Z+jYAvQLdaHwL80ts7', 'secret' => 'g1/yM/2zcnmaUOQD5nPnF+HNDgM0fhc/dCqx1mNUThKexcow', 'trusted_domains' => array ( 0 => 'xxxxx', 1 => 'xxxxx', 2 => 'xxxxx', ), 'datadirectory' => '/media/cloud/nextcloud/data', 'overwrite.cli.url' => 'https://xxxxx/nextcloud', 'dbtype' => 'mysql', 'version' => '11.0.1.2', 'dbname' => 'nextcloud', 'dbhost' => '127.0.0.1', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'nextcloud', 'dbpassword' => 'Sielstetten', 'logtimezone' => 'Europe/Berlin', 'installed' => true, 'forcessl' => true, 'default_language' => 'de', 'defaultapp' => 'files', 'knowledgebaseenabled' => true, 'enable_avatars' => true, 'allow_user_to_change_display_name' => true, 'remember_login_cookie_lifetime' => 1296000, 'session_lifetime' => 86400, 'session_keepalive' => true, 'mail_smtpmode' => 'smtp', 'mail_smtphost' => 'smtp.live.com', 'mail_smtpport' => '587', 'mail_smtpsecure' => 'tls', 'mail_smtpauth' => true, 'mail_smtpauthtype' => 'LOGIN', 'mail_smtpname' => 'xxxxx', 'mail_smtppassword' => 'xxxxx', 'mail_from_address' => 'nextcloud', 'has_internet_connection' => true, 'appstoreenabled' => true, 'appstoreurl' => 'https://apps.nextcloud.com/api/v0', 'apps_paths' => array ( 0 => array ( 'path' => '/var/www/nextcloud/apps', 'url' => '/apps', 'writable' => true, ), ), 'appcodechecker' => true, 'appstore.experimental.enabled' => true, 'updatechecker' => true, 'check_for_working_webdav' => true, 'check_for_working_wellknown_setup' => true, 'loglevel' => 2, 'theme' => '', 'maintenance' => false, 'overwritewebroot' => '/nextcloud', 'memcache.local' => '\\OC\\Memcache\\Redis', 'debug' => false, 'trashbin_retention_obligation' => 'auto', 'filelocking.enabled' => 'true', 'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => 'localhost', 'port' => 6379, 'timeout' => 0.0, 'dbindex' => 0, ), 'updater.release.channel' => 'stable', ); The output of your Apache/nginx/system log in `/var/log/____`: cat error.log 2017/01/31 19:38:37 [info] 3313#3313: Using 32768KiB of shared memory for push module in /etc/nginx/nginx.conf:64 --- Remember, this information may be requested if it isn't supplied; for fastest response please provide as much as you can :heart: Feel free to use a pastebin service, otherwise log files can be indented with 4 spaces on each line to present them in a friendlier way on the forum.

Tom63 · February 1, 2017, 8:02am

My version of Firefox is 51.0.1 and the changes in my nginx config were exactly like you wrote.
The reason for that changes are that nextcloud is not that quick presenting the web page and I read that it is quicker if am using http2

tflidd · February 1, 2017, 9:22am

There is a longer thread about http2 which might contain some interesting information for you:

Tom63 · February 1, 2017, 10:41am

Found the problem:
Firefox and Nextcloud will not work if

includeSubDomains; preload;";

is added in NGINX.
I saw that in a docu of nextcloud.

After removing it from virtual host all is working fine with http2

Thanks for support

anon58843897 · February 1, 2017, 1:29pm

Hi @Tom63

Glad to hear you resolved the issue. But I should note, that it should work with includeSubDomains; preload. For instance, my record is, strict-transport-security: max-age=63072000; includeSubDomains; preload and it works fine.

Tom63 · February 1, 2017, 4:58pm

That sounds interesting.
May I ask you how your v-host in nginx looks like?
For me is working if I delete
includeSubDomains; preload;";
There must be a difference in between the nginx configuration.

anon58843897 · February 1, 2017, 5:18pm

Hi @Tom63

My configuration is pretty basic. Here’s the template I use.

server {
# General Configuration
       listen 443 ssl http2;
        server_name example.com www.example.com;
        root /path/to/the/website/example.com/public_html;

#Setup SSL
        ssl on;
        ssl_certificate /path/to/ssl/example.com/fullchain.pem;
        ssl_certificate_key /path/to/ssl/example.com/example.com.key;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# Turn HTTPS on
fastcgi_param HTTPS on;

# Include a CMS template. IE, WordPress, Nextcloud, Drupal, etc.
include /path/to/cms/template.conf;

# End Configuration
}

I should note, that if you add the Strict-Transport-Security header and don’t have SSL turned on, then Firefox will correctly refuse to load the site. If you include SubDomains, and you have unsecured sub domains, then the same problem will happen. In either case, it’s not a Nexcloud, or Nginx issue.

it’s not a good idea to setup pre-load unless you intend to actually pre-load your site, and have every service at your domain secured by SSL. For pre-loading, see https://hstspreload.org/

Tom63 · February 1, 2017, 5:46pm

I tried it now with ssl on but nextcloud will not load.
Here is my conf file. It is a bit larger cause am using not only nextcloud.
Maybe you will see something strange

map $http_upgrade $connection_upgrade {
default upgrade;
’’ close;
}

upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}

server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name _;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

ssl on;
ssl_certificate /etc/nginx/ssl/sielstetten.crt;
ssl_certificate_key /etc/nginx/ssl/sielstetten.key;

    root /var/www;
    client_max_body_size 1000M; # set maximum upload size
    fastcgi_buffers 64 4K;

fastcgi_read_timeout 300;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

### Für Nextcloud Collabora Online ###
# static files
location ^~ /loleaflet {
	proxy_pass https://sielstetten:9980;
	proxy_set_header Host $http_host;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
	proxy_pass https://sielstetten:9980;
	proxy_set_header Host $http_host;
}

# websockets, download, presentation and image upload
location ^~ /lool {
	proxy_pass https://sielstetten:9980;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $http_host;
}
######################################
### Für Nextcloud ###
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
#####################

###  STEUERUNG  WOHNUNG  ###
location /Wohnung {
	auth_basic "Restricted";
	auth_basic_user_file /home/sielstetten/password/.sielstetten;
	try_files $uri $uri/ index.php;
############################
}
###  WECHSELRICHTER  ###
location /Wechselrichter {
	autoindex on;
	try_files $uri $uri/ index.php;
}
########################
###  PHPMYADMIN  ###
	location /phpmyadmin {
	deny all;
}
########################
location ~* \.php$ {
	fastcgi_read_timeout 150;
	include fastcgi_params;
	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	include snippets/fastcgi-php.conf;
}
###  http-bind für ejabberd  ###
location ~ ^/http-bind {
	proxy_pass            https://192.168.178.10:5280;
	proxy_set_header      Host $http_host;
	proxy_redirect        off;
	proxy_buffering       off;
	proxy_connect_timeout 5s;
	proxy_read_timeout    320s;
	tcp_nodelay           on;
	keepalive_timeout     320s;
	send_timeout          320s;
}

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

###  NEXTCLOUD  ###

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
# rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta
# last;
#rewrite ^/.well-known/host-meta.json
# /nextcloud/public.php?service=host-meta-json last;

location = /.well-known/carddav {
	return 301 $scheme://$host/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
	return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location /.well-known/acme-challenge { }

location ^~ /.well-known/acme-challenge/ {
	alias /var/www/acme-challenge/;
}
location ^~ /nextcloud {

	# set max upload size
	client_max_body_size 512M;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header

gzip off;

	# Uncomment if your server is build with the ngx_pagespeed module
	# This module is currently not supported.
	#pagespeed off;

	error_page 403 /nextcloud/core/templates/403.php;
	error_page 404 /nextcloud/core/templates/404.php;

	location /nextcloud {
		rewrite ^ /nextcloud/index.php$uri;
	}

	location ~^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}
	location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
		#include fastcgi_params;
		fastcgi_split_path_info ^(.+\.php)(/.*)$;
                    include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		#Avoid sending the security headers twice
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		fastcgi_pass php-handler;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	}

	location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	}

	# Adding the cache control header for js and css files
	# Make sure it is BELOW the PHP block
	location ~* \.(?:css|js)$ {
		try_files $uri /nextcloud/index.php$uri$is_args$args;
		add_header Cache-Control "public, max-age=7200";
		# Add headers to serve security related headers  (It is intended
		# to have those duplicated to the ones above)
		# Before enabling Strict-Transport-Security headers please read
		# into this topic first.
		# add_header Strict-Transport-Security "max-age=15768000;
		# includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
		add_header X-Frame-Options "SAMEORIGIN";
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		# Optional: Don't log access to assets
		access_log off;
	}

	location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
		try_files $uri /nextcloud/index.php$uri$is_args$args;
		# Optional: Don't log access to other assets
		access_log off;
	}
}

# spreed-webrtc blocks
location ^~ /webrtc {
	proxy_pass http://127.0.0.1:8080;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_buffering             on;
	proxy_ignore_client_abort   off;
	proxy_redirect              off;
	proxy_connect_timeout       90;
	proxy_send_timeout          90;
	proxy_read_timeout          90;
	proxy_buffer_size           4k;
	proxy_buffers               4 32k;
	proxy_busy_buffers_size     64k;
	proxy_temp_file_write_size  64k;
	proxy_next_upstream         error timeout invalid_header http_502 http_503 http_504;
}

}

anon58843897 · February 1, 2017, 6:28pm

The configuration could use some TLC. Here’s my advice. Opinion only

1: Put the location blocks in order of execution.
2: Don’t duplicate settings in the same server block.
3: Don’t pass everything that ends in .php over to php-fpm. This is a security risk.
4: Keep your fastcgi settings in a separate file and include them once.
5: Don’t mix web hosting and proxy hosting in the same server block.

If you can, split out different apps into different server blocks. Sub domain names work well here and help avoid mixing configuration information between locations.

Questions:
Does chrome still work when you switch to HTTP/2? If so, it’s not a Nginx issue.
Have you tried Firefox on a different computer?

Tom63 · February 1, 2017, 6:32pm

I will try to change my nginx as you said.
I took that configuration from the docu of nextcloud 7 and added my other functions as webrtc …

yes with chromium it works and I tried it with different laptops as well also with virtual machines.