NGINX with NextCloud and HTTP2

[abuabdullah]

Hi,

Long time reader and first time poster. I have been using Opnsense for sometime and I always used HAProxy to set up access. Its worked well but me being me i like to change things up and I am partial to Nginx.

I setup Nginx in the normal way (following the tutorial here: https://forum.opnsense.org/index.php?topic=19305.0) and got communication working. For some reason if I use firefox to access NextCloud it works fine. If I use IOS or OSX Safari or even Curl it gives me an HTTP/2 error:

Code Select Expand

curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

I read online somewhere about a similar scenario with AWS LB and Nginx. Basically the LB was downgrading the original HTTP/2 request so Nginx would send out an upgrade response. AWS would forward the upgrade response back to the client which would just drop the connection because its already using HTTP/2.

Just to sanity check the services of Apache and Nextcloud I switched back from Nginx to HAProxy and it basically immediately started working again. I am not able to find any HTTP/2 settings in Nginx GUI and im not sure what I can do. It may well be the functionality is missing form the GUI.

-------------------------------------------- Update from within the new post --------------------------

I was drafting the above post to ask for help but I saw this comment posted 7 years ago (https://trac.nginx.org/nginx/ticket/923):

There are no plans to implement HTTP/2 support in the proxy module in the foreseeable future, see ​detailed answer here. If you want to use nginx to balance multiple servers, consider using ​the stream module to do this.

So still going to post this incase someone is trying to figure this out. If you arent able to hit your HTTP/2 services from Safari but can with Firefox this might be why. Nginx allows you to use streams which has some host header inspection options but I've spent a whole day on this and I am ready to give up. I cant find the relevant options in the GUI and I dont want to start modifying configs now. Maybe someone else will have more luck?

I need to route multiple mixed services either i have to disable HTTP/2 (a quick google search doesnt really come up with much, most people are trying to enable HTTP/2 on nextcloud) or just go back to HAProxy. Kind of a shame i wanted to use the basic waf rules which will have to done on an individual service level now.

[sorano]

Why not just combine HAProxy + NAXSI like this: https://www.haproxy.com/blog/high-performance-waf-platform-with-naxsi-and-haproxy ?

At least it gets the job done for me!

[abuabdullah]

ooh this looks good ill try it out thanks, does look a bit complicated im guessing i need to make manual changes to the config on opnsense? im trying to keep everything firewall side just because it will be easier to manage.

[sorano]

You're welcome.

Yeah, unfortunately it is more complex but in return it's also more flexible and a good compromise to utilize Naxsi ruleset while still keeping the functionality of HAProxy.

Not really sure what you mean with "make manual changes to the config on opnsense" but I configured it all in the webui.