id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1928	browser cannot correctly decode http response headers when http2 is used	val-kulkov@…		"When http2 is enabled, Google Chrome and Firefox cannot correctly decode http2 response headers received from Nginx. The response headers appear scrambled. At the same time, both browsers decode the body of the response correctly.

Since the browser cannot correctly decode http2 response headers, the browser displays ""ERR_SPDY_COMPRESSION_ERROR"" error (""gzip on;"" in nginx.conf) or the ""ERR_HTTP2_PROTOCOL_ERROR"" (""gzip off;"").

This issue has been observed in OpenWrt by multiple users: https://github.com/openwrt/packages/issues/8988

A Wireshark packet capture of a conversation between Google Chrome and Nginx (with SSLKEYLOGFILE environment variable set to capture SSL keys) is attached. To decode and view the captured SSL stream in Wireshark, right-click on a TLSv1.3 packet in the packets pane, select ""Protocol Preferences"" -> ""(Pre)-Master-Secret log filename..."", click on ""Browse..."" button next to ""(Pre)-Master-Secret log filename..."" and select the attached ""session_keys.log"" file.

Packet 36 is the browser's http2 request to Nginx. Everything looks normal in it. Packet 39 contains the http2 response from Nginx, and that is where things are not normal. The first header in the response looks good: "":status: 200 OK"", but then all remaining headers except content-type and content-length appear scrambled.

It is very odd that the body of http2 response from Nginx in packet 41 appears just fine: the browser is able to correctly decode the body of http2 response.

This problem manifests itself on the OpenWrt x86_64 platform, as noted in the OpenWrt issue mentioned above. Nginx on non-x86_64 OpenWrt platforms appear to work fine.
"	defect	closed	major		nginx-module	1.17.x	invalid	http2 OpenWrt	val-kulkov@…	Linux eg19 4.19.84 #0 SMP Tue Nov 19 13:59:03 2019 x86_64 GNU/Linux	"nginx version: nginx/1.17.5 (x86_64-pc-linux-gnu)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --target=x86_64-openwrt-linux --host=x86_64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --crossbuild=Linux::x86_64 --prefix=/usr --conf-path=/etc/nginx/nginx.conf --with-http_ssl_module --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-naxsi/naxsi_src --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/lua-nginx --with-ipv6 --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-ubus-module --with-http_auth_request_module --with-http_v2_module --with-http_realip_module --with-http_secure_link_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-headers-more --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-brotli --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-rtmp --add-module=/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5/nginx-ts --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=x86_64-openwrt-linux-musl-gcc --with-cc-opt='-I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/usr/include -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/usr/include -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/include/fortify -I/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/include -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -iremap/home/val/Development/openwrt/targets/nuc_x86_64/build_dir/target-x86_64_musl/nginx-ssl/nginx-1.17.5:nginx-1.17.5 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK' --with-ld-opt='-L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/usr/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/target-x86_64_musl/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/usr/lib -L/home/val/Development/openwrt/targets/nuc_x86_64/staging_dir/toolchain-x86_64_gcc-7.5.0_musl/lib -znow -zrelro -Wl,--gc-sections' --without-http_upstream_zone_module
"