HTTP2_SESSION_RECV_RST_STREAM

Website, Application, Performance
1

Hi,

My server has been giving “net::ERR_HTTP2_PROTOCOL_ERROR 200” error for the last 1 week.

Some files are not loading on my website and application. Downloading is also not possible. When I want to download a file, it returns a “Network Error” message.

I did a lot of research about this error but I couldn’t reach a clear conclusion. 80% of the time it is said to be caused by the client. It is said to be due to outdated programs, but I get the error myself.

I use Cloudflare for DNS management. I don’t get this error on my other servers with the same settings. When I view the certificate in the browser on my other servers, I see the Cloudflare certificate, but on my faulty server I see the Let’s Encrypt certificate.

A certain part of the resources are being loaded and the rest is giving errors. The download also fails periodically. I have not found any way to solve this problem.

When I turn off the Cloudflare proxy it works fine but when I turn it back on the problem persists. It is dangerous to turn it off completely for security reasons. So I focused on investigating the cause of the error and came to the following conclusion.

I did a debug in Chrome browser and this is the result I got in http2_session;
HTTP2_SESSION_RECV_RST_STREAM
→ error_code = “2 (INTERNAL_ERROR)”
→ stream_id = 73

I’m not sure if this error is entirely caused by cloudflare. Because I don’t get this error on my servers on different location where I use cloudflare. I think there might be a configuration setting on our server that we need to upgrade.

Can you please help with this?

3

So the fact that it’s a HTTP/2 related error is revealing - most likely your origin doesn’t support HTTP/2 which is why you don’t see the error with Cloudflare running in DNS only mode.

When you enable the Cloudflare proxy, we will start offering HTTP/2 to clients. HTTP/2 is quite a strict protocol compared to its predecessor, HTTP/1.1 and if your origin server is doing something unusual or non-compliant it may cause the HTTP/2 client or Cloudflare to break and error. Most likely is that your origin is emitting a response header that is duplicated or not supported in HTTP/2 or is in an illegal format.

For a list of the headers your origin should not emit in HTTP/2, these are listed here as “Must not be used with HTTP/2”

For convenience, those response headers are:

Connection
Transfer-Encoding

However, I believe we do sanitise/strip these for you, so it may actually be more likely that you have response headers poorly formatted, or duplicated.

The best way to debug this is to open the Developer Tools tab in your browser and reproduce the problem. Then, copy that request as a cURL. These instructions will help:

Once you have the cURL command, add the following on the end of it:

--insecure --verbose --output /dev/null --connect ::1.2.3.4

Replace 1.2.3.4 with your origin IP. That will then send the request to your origin.

Send us the output here (you can find and replace any mention of your domain name or your origin IP before sending it here if you want to keep that private).

4

Hi,

Since the --connect parameter does not work on windows, I sent with the ip address I got an error with the --connect-to parameter.

Curl Request

curl "`https://app.site.com/assets/custom/media/bg/bg-3.jpg`" 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" 
-H "Accept: image/avif,image/webp,*/*" -H "Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3" 
-H "Accept-Encoding: gzip, deflate, br" -H "DNT: 1" -H "Connection: keep-alive" 
-H "Referer: https://app.site.com" 
-H "Sec-Fetch-Dest: image" -H "Sec-Fetch-Mode: no-cors" -H "Sec-Fetch-Site: same-origin" -H "TE: trailers" --insecure --verbose --output C:\Users\XX\Desktop\bg-3.jpg --connect-to ::172.67.137.138

Result:

Connecting to hostname: 172.67.137.138
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 172.67.137.138:443...
* Connected to (nil) (172.67.137.138) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET /assets/custom/media/bg/bg-3.jpg HTTP/1.1
> Host: `app.site.com`
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
> Accept: image/avif,image/webp,*/*
> Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate, br
> DNT: 1
> Connection: keep-alive
> Referer: `https://app.site.com`
> Cookie: **
> Sec-Fetch-Dest: image
> Sec-Fetch-Mode: no-cors
> Sec-Fetch-Site: same-origin
> TE: trailers
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Date: Thu, 31 Aug 2023 13:37:43 GMT
< Content-Type: image/jpeg
< Transfer-Encoding: chunked
< Connection: keep-alive
< last-modified: Fri, 16 Apr 2021 17:31:36 GMT
< vary: Accept-Encoding
< etag: W/"6079c9f8-3bbac"
< expires: Sat, 30 Sep 2023 12:40:42 GMT
< Cache-Control: max-age=16070400
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< CF-Cache-Status: HIT
< Age: 3421
< Report-To: {"endpoints":[{"url":"`https:\/\/a.nel.cloudflare.com\/report\/v3?s=l1Skpb5bnnV3YCbK9FesjyEPSMVNx4IdJzG2c7rSiqBbYBY8%2FVvxotjBQKmoOjXtW0YnKiXlNUjz0KuttANUTzRQZrfT2UB1YTou0%2FB2wlCa8MSxU6OsSUS%2FivPmYNXe887oVZrVaQ%3D%3D`"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
< Server: cloudflare
< CF-RAY: 7ff5ab766f50e18e-IST
< alt-svc: h3=":443"; ma=86400
<
{ [97350 bytes data]
100  238k    0  238k    0     0   5351      0 --:--:--  0:00:45 --:--:--     0* schannel: server closed the connection
100  238k    0  238k    0     0   5310      0 --:--:--  0:00:46 --:--:--     0* transfer closed with outstanding read data remaining
100  238k    0  238k    0     0   5309      0 --:--:--  0:00:46 --:--:--     0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with app.site.com port 443
curl: (18) transfer closed with outstanding read data remaining
5

Apologies, --connect-to ::1.2.3.4 is the correct option. You are sending your request to Cloudflare though - the IP 172.67.137.138 is Cloudflare and not your origin. Can you repeat the test again but specify your origin IP?

6

It was not giving error for few days. Today I’m getting the same error again, so I had to stop cloudflare protection, but before stopping I did the debug process as you said. The output is as follows.

* Connecting to hostname: 77.**.**.***
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 77.**.**.***:443...
* Connected to (nil) (77.**.**.***) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET /patient/file/display/201524/ HTTP/1.1
> Host: app.site.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
> Accept: image/avif,image/webp,*/*
> Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate, br
> Alt-Used: app.site.com
> Connection: keep-alive
> Referer: https://app.site.com/file/xx
> Cookie: ***
> Sec-Fetch-Dest: image
> Sec-Fetch-Mode: no-cors
> Sec-Fetch-Site: same-origin
> TE: trailers
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Server: nginx-rc
< Date: Fri, 08 Sep 2023 08:16:32 GMT
< Content-Type: image/jpeg
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Pragma: public
< Expires: 0
< Cache-Control: must-revalidate, post-check=0, pre-check=0
< Content-Disposition: attachment; filename="filename.jpg"
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Encoding: br
<
{ [15919 bytes data]
* schannel: failed to decrypt data, need more data
{ [32768 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
100  214k    0  214k    0     0   818k      0 --:--:-- --:--:-- --:--:--  828k
* Connection #0 to host (nil) left intact
7

Hi Simon,

Do you have any suggestions for this problem with the files? When we want to download a file, we get a “connection error” and the process stops.

We want to use Cloudflare but we have to stop because of these errors. Your opinion is important for us.

8

So we’ve noticed Brotli compression is in use there ( < Content-Encoding: br ) - would you disable brotli on your origin server to eliminate that as a possible source of the issue?