Okay so…
skylon.com and www.skylon.com have no AAAA records, and are the ones we have no issues with.
test.skylon.com has an AAAA record. How?! There are absolutely no AAAA records in my CF account, only A:
;; A Records (IPv4 addresses)
www.skylon.com. 1 IN A 23.253.218.146
skylon.com. 1 IN A 23.253.218.146
test.skylon.com. 1 IN A 23.253.218.146
The only other records are MX, TXT, and CNAME.
The AAAA records are automatically assigned (along the standard A records) when you proxy through Cloudflare. Proxied sites are reachable via IPv6 even when the origin does not support IPv6.
You’d need to disable IPv6 on Cloudflare’s side to remove these. Though that requires a call via the API as Cloudflare does not offer the ability to disable it via the UI.
Okay, cool. That’s done, and I verified the response from the API:
{“result”:{“id”:“ipv6”,“value”:“off”,“modified_on”:“2018-10-17T16:45:56.586227Z”,“editable”:true},“success”:true,“errors”:,“messages”:}
Still seeing the issue, but I am thinking the user might need time for the TTL to die on that record, so I will leave it for a bit. Thank you for all your help, and I’ll update if it works or not.
Though the entire issue seems a bit weird. The original error message would leave the impression Cloudflare cant be reached at all, otherwise there should be at least a Cloudflare error. However the trace page does show the request goes through.
Unless iOS’ Safari (and yes, Chrome is just a Safari shell on iOS) does some error hiding (like IE used to do for some errors).
What about that?
Plain http works as intended everywhere. Site loading perfectly. My co-worker is on lunch, but I am going to have her test the https://test.* again once she’s back.
Hi @paul33, question and a suggestion.
Question - do the issues with iOS device happen only on the mobile network or on wifi as well? If only mobile, only Rogers or other operators, too?
Suggestion - As you trouble shoot this with your colleague, on the Network tab, turn off HTTP/2?
If /cdn-cgi/ hadnt worked, I would have pointed towards TLS. But with it working 
I turned off HTTP2, and it is working on both wifi and Rogers now. Does this mean we cannot use http2, because iOS/Safari is having issues with it?
EDITED because I can no longer reply? I’ve reached my limit…
So…
try this set TLS minimum to TLS v1.2 and re-enable HTTP/2
Done, back to not being able to reload page.
Removed h2c from protocols on origin apache server. Do I need to refresh cache?
try this set TLS minimum to TLS v1.2 and re-enable HTTP/2
edit also if using Apache origin web server make sure h2c isn’t set in your protocol supported list
Protocols h2 h2c http/1.1
so maybe
Protocols h2 http/1.1
Can we please go back to unencrypted HTTP 1.0 (who cares about host headers)? Things were so much easier back then 
</rant>
@cloonan, any idea why that broke on Safari, but only for the proxied page and not cdn-cgi?
This was bothering me so I dug into old support tickets and found a comment on a similar ticket to head of line blocking that pointed to this article, The Full Picture on HTTP/2 and HOL Blocking | by Shauli Gal | Salesforce Engineering.
This line makes me think it’s latency over the mobile network, “…unexpectedly large variations in latency or a loss affecting the segment at the TCP head of line makes HTTP/2 more likely to hit HOLB, and its impact is larger as well. Basically, the receiver stands idle till the head is recovered, while all the subsequent segments are held by the TCP stack. This means that an image might be downloaded successfully and still not show up due to HOLB.”
yeah i’d purge cf cache globally and verify Cloudflare proxied requests are not serving Upgrade header in your requests
also ensure you restarted apache after making the change to remove h2c
Purged, and yes, I’ve restarted apache a dozen times. 
When I check the headers of https://test.*, it’s showing me an upgrade header: “upgrade: http/1.”
During testing this afternoon, I found out that I can replicate the issue with cURL!
With http2 enabled:
[email protected]:/etc/apache2$ curl -v --http2 https://test.skylon.com
GET / HTTP/2
Host: test.skylon.com
User-Agent: curl/7.58.0
Accept: /
Website never outputs.
With http2 disabled:
[email protected]:/etc/apache2$ curl -v --http2 https://test.skylon.com
GET / HTTP/1.1
Host: test.skylon.com
User-Agent: curl/7.58.0
Accept: /
0 0 0 0 0 0 0 0 --:–:-- 0:00:01 --:–:-- 0{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Thu, 18 Oct 2018 01:56:20 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d829126e731937d1d656de95c466eb0411539827779; expires=Fri, 18-Oct-19 01:56:19 GMT; path=/; domain=.skylon.com; HttpOnly
< Link: https://www.skylon.com/wp-json/; rel=“https://api.w.org/”, https://www.skylon.com/; rel=shortlink
< Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
< Upgrade: http/1.
< Cache-Control: max-age=600
< Expires: Thu, 18 Oct 2018 02:06:19 GMT
< Vary: Accept-Encoding
< Expect-CT: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct”
< Server: Cloudflare
< CF-RAY: 46b76345aa7955f4-ORD
<
{ [639 bytes data]
100 90670 0 90670 0 0 71113 0 --:–:-- 0:00:01 --:–:-- 71057
And I get an output of the html code as well (which I’ve omitted.)
Does this shed any light on the issue?
Thanks to all who have been helping me
problem as i suspected is still the rogue HTTP header = Upgrade HTTP/1 being sent from your origin and being passed on by Cloudflare it seems as you can’t upgrade an already HTTP/2 connection to HTTP/2
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [http/1.]
HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
Connection #0 to host test.skylon.com left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
check all Apache origin httpd.conf and apache vhost and .htaccess files for any additionally added Upgrade headers that maybe added
Unfortunately, there’s no instance of the word “upgrade” in my /etc/apache, and I have no other config files.
Also, a curl -v -http2 http://www.skylon.com never shows the upgrade header, which makes me think it can’t be passed from the origin server? Wouldn’t it show on the origin server as well? (Which is running http2.)
try a recursive case insensitive grep search in /etc/apache
grep -ir 'upgrade' /etc/apache
can also do search on your apache public web root directories to see if .htaccess files added such
I did do a recursive search… HOWEVER. I fixed it.
My protocols line was
Protocols h2 http/1.
I am 100% unsure why it was like that, but the trailing 1 was missing and that killed it. I re-enabled http2, and ran a cURL again:
GET / HTTP/2
Host: test.skylon.com
User-Agent: curl/7.58.0
Accept: /
{ [5 bytes data]
I went back through and re-enabled stuff in CF I had disabled (like TLS 1.3), and I will get my co-workers to test tomorrow.
Thank you SO MUCH for the help!!!
ah typo ! heh
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.