id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1928,browser cannot correctly decode http response headers when http2 is used,val-kulkov@…,,"When http2 is enabled, Google Chrome and Firefox cannot correctly decode http2 response headers received from Nginx. The response headers appear scrambled. At the same time, both browsers decode the body of the response correctly. Since the browser cannot correctly decode http2 response headers, the browser displays ""ERR_SPDY_COMPRESSION_ERROR"" error (""gzip on;"" in nginx.conf) or the ""ERR_HTTP2_PROTOCOL_ERROR"" (""gzip off;""). This issue has been observed in OpenWrt by multiple users: https://github.com/openwrt/packages/issues/8988 A Wireshark packet capture of a conversation between Google Chrome and Nginx (with SSLKEYLOGFILE environment variable set to capture SSL keys) is attached. To decode and view the captured SSL stream in Wireshark, right-click on a TLSv1.3 packet in the packets pane, select ""Protocol Preferences"" -> ""(Pre)-Master-Secret log filename..."", click on ""Browse..."" button next to ""(Pre)-Master-Secret log filename..."" and select the attached ""session_keys.log"" file. Packet 36 is the browser's http2 request to Nginx. Everything looks normal in it. Packet 39 contains the http2 response from Nginx, and that is where things are not normal. The first header in the response looks good: "":status: 200 OK"", but then all remaining headers except content-type and content-length appear scrambled. It is very odd that the body of http2 response from Nginx in packet 41 appears just fine: the browser is able to correctly decode the body of http2 response. This problem manifests itself on the OpenWrt x86_64 platform, as noted in the OpenWrt issue mentioned above. Nginx on non-x86_64 OpenWrt platforms appear to work fine. ",defect,closed,major,,nginx-module,1.17.x,invalid,http2 OpenWrt,val-kulkov@…,Linux eg19 4.19.84 #0 SMP Tue Nov 19 13:59:03 2019 x86_64 GNU/Linux,"nginx version: nginx/1.17.5 (x86_64-pc-linux-gnu) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --target=x86_64-openwrt-linux --host=x86_64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --crossbuild=Linux::x86_64 --prefix=/usr --conf-path=/etc/nginx/nginx.conf --with-http_ssl_module --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-naxsi/naxsi_src --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/lua-nginx --with-ipv6 --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-ubus-module --with-http_auth_request_module --with-http_v2_module --with-http_realip_module --with-http_secure_link_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-headers-more --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-brotli --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-rtmp --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-ts --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=x86_64-openwrt-linux-musl-gcc --with-cc-opt='-I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/usr/include -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/usr/include -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/include/fortify -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/include -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -iremap/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5:nginx-1.17.5 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK' --with-ld-opt='-L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/usr/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/usr/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/lib -znow -zrelro -Wl,--gc-sections' --without-http_upstream_zone_module "