Force http1.1 from Tunnel agent to origin?

Is there a way to force tunnel agent to origin using HTTP 1.1? I am getting ERROR_HTTP2_PROTOCOL_ERROR when on https

I wonder, is it because of your Web browser?, or rather due to the origin not cappable of serving HTTP/2 requests (or not working over it + SSL/TLS etc.)?

Do you continiously get this error or on some specific HTTP request to some Web app?

Do you have some strange or long strings/encodings on that Webpage (I assume?) you are trying to open? (for example Base64 images in CSS, etc.)

Does it work propperly when not using Cloudflare - meaning your origin is serving either HTTP/1.1 or HTTP/2 actually? (or not?), or temporary disabling for your domain name?

From the documentation, we can change protocol to some other available value in the config file:

Web browsers always connects to the HTTP/1.1 and therefore upgrade it to HTTP/2 (if the HTTP header is being offered).

Moreover, connections from Cloudflare’s Edge to your origin server(s) only support HTTP/1.1 as far as I remebmer correctly:

You can also disable HTTP/2 at your origin host/server, but …

Also, Cloudflare only support HTTP/2 over TLS, meaning you would have to setup your origin host / server to work over HTTPS and also make sure your domain name is working over HTTPS (using the SSL certificate, etc.).

Maybe I did not answered directly to your question, rather given you some feedback information for further troubleshooting.

That is already the case. CF edge communicates to Cloudflared daemon via HTTP/2 but Cloudflared daemon communicates to origin via HTTP/1.1. What does curl test for your domain site return when you check via https://tools.keycdn.com/curl ? If it’s okay. Then make sure your own computer’s firewall/antivirus isn’t using HTTPS inspection like feature which may not properly support HTTP/2 connection with right SSL ciphers when connecting to Cloudflare edge server. If that is the case, disable your HTTPS inspection feature on your local computer’s antivirus/internet security software.

The protocol setting just controls how Cloudflare edge servers communicate with Cloudflared daemon installed on origin server and only 4 options available are auto, h2mux, http2 and quic https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/ :slight_smile:

1 Like

When I open it in browser locally, it works fine. The Cloudflare tunnel is talking to my origin in http.
WHen user hit Cloudflare edge in HTTP, it works fine. But if user hit Cloudflare edge in HTTPS, it gets that error. So I am confusing. At the beginning, I suspect the application’s web server is pretty old. I put an NGINX reverse proxy in front of it, problem still there. I can’t think of any possible way of it.

I am getting this error consistently regardless of browser.
In Cloudflare config.yml, it’s basically just
ingress:

I try to point it to application directly or nginx reverse proxy. It doesn’t make any difference.

What is the port here?
Maybe you are using non-supported/non-compatible one here, or at least it could be that Nginx Reverse Proxy is not working as expected over HTTPS.

Nevermind, we are could end up far from what you asked about HTTP/1.1.

May I also ask which option have you got selected under the SSL/TLS tab of Cloudflare dashboard for your domain name?

In SSL tab in Cloudflare dashboard, it’s set to flexible. On the tunnel backend, I try to run to port 80 http nginx reverse proxy or https 443 ssl proxy or straight to application HTTP on port 8080. They all essentially behave the same.

In terms of security and some possible issues like redirection loops, or other HTTPS (SSL) errors I would just like to add a note here regarding Flexible SSL in the below two articles and also a tutorial of how to properly setup the SSL for your domain with Cloudflare:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

1 Like

I do have Origin CA cert installed. I think I tried it once but no improvement. I’ll test it again.

I am pointing Cloudflare Tunnel to NGINX reserve proxy using HTTPS with OriginCA cert. And in dashboard, I set it to full/strict. I am getting 502 Bad Gateway, when users hit the same URL in HTTPS. But works fine when users hit the same URL in HTTP.