A setup cloudflare tunnel processes HTTP/3 requests fine, but doesn’t seem to accept HTTP/2.
What steps have you taken to resolve the issue?
Read forms on similar problems.
Updated Cloudflared to the latest version.
Check my cloudflare website configuration to see if it supports HTTP/2.
What are the steps to reproduce the issue?
Install Cloudflared on Synology NAS.
Configure a Tunnel in Cloudflare Zero Trust.
Make HTTP/2 and HTTP/3 requests to the NAS through the tunnel.
Check tunnel connector logs and find that the HTTP/3 requests are going through, but the HTTP/2 requests are not.
(They do reach cloudflare, I can see the requests in website → my website → security → Analytics, they are not mitigated).
Just to clarify, I am trying to reach an application on my NAS, through the web application this is working fine (HTTP/3) but the android app seems to make HTTP/2 requests, which do not go through the tunnel. I am not trying to block anything, but want to access an application through a tunnel.
I can confirm HTTP/2 to Orgin is enabled in the Cloudflare dashboard, and HTTP/2 is enabled in the NAS options.
The intresting thing is that the requests are not even seen in the live log of the tunnel. This indicates that the requests are being stopped before entering the tunnel (or they can’t?).
As far as I can find, HTTP/2 shouldn’t be a problem with a Cloudflare tunnel.
After a bit more testing I have found something intresting. Unlike previous testing, not only HTTP/2 requests are blocked, but some HTTP/3 requests aswell. I am making HTTP/3 requests from a browser and a windows application, of which the browser functions well, but the windows application doesn’t get through. My HTTP/2 requests are comming from an Android phone
The other thing besides HTTP version that differentiates the requests I am doing is the User Agent.
This is an example from a working request (made from the web application) (HTTP/3):
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
This is an example from a non working request (made from the windows application)(HTTP/3):
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.137 Safari/537.36
Could this be the reason some of the requests make it into the tunnel and some don’t?
After lots of video’s I finally figured it out. In my tunnel’s public hostnames I have the public hostname setup as an HTTP service. This means the TLS opstions are disabled. The simple fix for this problem was switching to an HTTPS service type, changing the HTTP2 connection under TLS settings to on. After that I set the service type back to HTTP, otherwise the application would not function.
After this the tunnel works like a charm. A simple yet so frustrating solution.
