DirectAdmin Knowledge Base

If Safari (and possibly other browsers) fails to load a site over HTTPS served by NGINX sitting as a reverse proxy in front of Apache:

Safari can't open the page. The error is: "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)

we have a possible solution for the case.

Why it happens?

NGINX when installed as a reverse proxy with Apache as a back-end fetches resources from Apache using HTTP/1.1, which the back-end server tries to upgrade to HTTP/2 by sending the "Upgrade: h2" header:

Upgrade: h2, h2c

And NGINX is transmitting the header Upgrade from Apache to a client, i.e. browser. And browsers on iOS (on iPhone) and on macOS High Sierra from Apple might fail here and drop a connection to such a site.

It will mostly effect CentOS 7 due to OpenSSL version 1.0.2+ which is now installed by default on this OS since September 2017 And Apache gets built against OpenSSL 1.0.2+:

# apachectl -v
Server version: Apache/2.4.27 (Unix)
Server built:   Sep 24 2017 23:11:03

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Older OS with Apache 2.4.x and OpenSSL 1.0.2+ might be affected too.

What to do?

In order to solve the issue on a server with Directadmin we need to add the following instruction into NGINX :

proxy_hide_header Upgrade;

So we run:

echo "proxy_hide_header Upgrade;" >> /etc/nginx/nginx-includes.conf
service nginx restart

The issue should be resolved at this moment.

You don't have directadmin?

If you don't have Directadmin you can also use this solution, but you should add the mentioned directive into /etc/nginx.conf or try a file under /etc/nginx/conf.d/.

Need more details?

More information:

• NGINX trac: "Upgrade" header should not be proxied over h2
• Module ngx_http_proxy_module: proxy_hide_header