Http2 reverse proxy to caddy behind cdn

1. The problem I’m having:

Hello, please help. I can’t set up a secure http2 reverse proxy from a client via a cname domain located on the cdn in front of the caddy, but when connecting directly to the origin domain everything works fine, it feels like some response header is missing, I’ve been racking my brains about this for a long time.

2. Error messages and/or full log output:

This is a piece of log with a successful connection to origin domain on caddy server:

{"level":"debug","ts":1707068297.3494523,"logger":"events","msg":"event","name":"tls_get_certificate","id":"ed531aee-4cb1-40a5-b88f-ca4bc9ca1c50","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"gkm.pw","SupportedCurves":[10794,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"193.200.74.177","Port":4840,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707068297.350322,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707068297.3505447,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707068297.3506336,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"193.200.74.177","remote_port":"4840","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707068297.5013633,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707068297.5038974,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.002250472,"request":{"remote_ip":"193.200.74.177","remote_port":"4840","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"User-Agent":["Go-http-client/2.0"],"Accept-Encoding":["identity"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Sun, 04 Feb 2024 17:38:17 GMT"]},"status":200}
{"level":"error","ts":1707068297.9200675,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"client disconnected"}
{"level":"error","ts":1707068297.920316,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.002250472,"request":{"remote_ip":"193.200.74.177","remote_port":"4840","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"User-Agent":["Go-http-client/2.0"],"Accept-Encoding":["identity"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"reading: client disconnected"}
{"level":"debug","ts":1707068300.3483403,"logger":"events","msg":"event","name":"tls_get_certificate","id":"817841ea-f05e-43eb-b21c-49ddb4e71c1d","origin":"tls","data":{"client_hello":{"CipherSuites":[56026,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"gkm.pw","SupportedCurves":[23130,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"RemoteAddr":{"IP":"193.200.74.177","Port":54360,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707068300.3491151,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707068300.3492475,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707068300.349319,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"193.200.74.177","remote_port":"54360","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707068300.4986858,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707068300.500581,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.001664381,"request":{"remote_ip":"193.200.74.177","remote_port":"54360","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Sun, 04 Feb 2024 17:38:20 GMT"]},"status":200}
{"level":"error","ts":1707068300.6445847,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"stream error: stream ID 1; CANCEL"}
{"level":"error","ts":1707068300.6448092,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.001664381,"request":{"remote_ip":"193.200.74.177","remote_port":"54360","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"reading: stream error: stream ID 1; CANCEL"}
{"level":"debug","ts":1707068301.490227,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707068301.491789,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.00119128,"request":{"remote_ip":"193.200.74.177","remote_port":"54360","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Sun, 04 Feb 2024 17:38:21 GMT"]},"status":200}
{"level":"debug","ts":1707068307.1014218,"logger":"http.stdlib","msg":"http: TLS handshake error from 163.181.26.161:60012: EOF"}
{"level":"error","ts":1707068310.0027092,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.00119128,"request":{"remote_ip":"193.200.74.177","remote_port":"54360","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"writing: http2: stream closed"}
.

And this is a log with an unsuccessful connection to the origin domain via cname located on ali dcdn:

{"level":"debug","ts":1707068387.361652,"logger":"events","msg":"event","name":"tls_get_certificate","id":"7a934ed5-4e94-4062-a581-9c3363666c2b","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,4867,198,199,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"www.gkm.pw","SupportedCurves":[29,23,30,25,24,41],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,1800,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"163.181.15.152","Port":32968,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707068387.36311,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.gkm.pw","num_choices":1}
{"level":"debug","ts":1707068387.3633964,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"www.gkm.pw","subjects":["www.gkm.pw"],"managed":false,"issuer_key":"","hash":"7d4ead4e400ee409137f316ed7edafe561ea9517b9541ea6448e39e7fbc001a8"}
{"level":"debug","ts":1707068387.3635418,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"163.181.15.152","remote_port":"32968","subjects":["www.gkm.pw"],"managed":false,"expiration":1713553876,"hash":"7d4ead4e400ee409137f316ed7edafe561ea9517b9541ea6448e39e7fbc001a8"}
{"level":"debug","ts":1707068387.4141686,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707068387.4197721,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.00516051,"request":{"remote_ip":"163.181.15.152","remote_port":"32968","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"Ali-Swift-Origin-Host":["gkm.pw"],"Ali-Swift-Log-Host":["www.gkm.pw"],"Via":["ru3.l1, l2de2.l2"],"X-Forwarded-Host":["gkm.pw"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"Ali-Proxy-Is-Free":["0"],"Ali-Cdn-Real-Port":["12894"],"Ali-Cdn-Adaptive-Ports":["443,443"],"Ali-Swift-Ukeepalive-Timeout":["30"],"Eagleeye-Traceid":["2ff602a417070683872734651e"],"Ali-Swift-Urequest-Timeout":["30"],"X-Forwarded-For":["193.200.74.177, 163.181.15.152"],"Ali-Swift-Force-Ttl-Code":["400=0"],"Ali-Swift-Origin-Port":["443"],"X-Client-Scheme":["https"],"Ali-Proxy-Is-Hot":["0"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Swift-Range-Cache":["on"],"X-Alicdn-Da-Via":["47.246.2.228,163.181.15.248"],"X-Forwarded-Proto":["https"],"Ali-Swift-Origin-Scheme":["https"],"User-Agent":["Go-http-client/2.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"www.gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Sun, 04 Feb 2024 17:39:47 GMT"]},"status":200}
{"level":"debug","ts":1707068389.9177454,"logger":"events","msg":"event","name":"tls_get_certificate","id":"e1d196a3-e110-4cd6-a959-70f59df7e8d3","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,4867,198,199,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"www.gkm.pw","SupportedCurves":[29,23,30,25,24,41],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,1800,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"163.181.15.149","Port":22230,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707068389.918107,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.gkm.pw","num_choices":1}
{"level":"debug","ts":1707068389.9182062,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"www.gkm.pw","subjects":["www.gkm.pw"],"managed":false,"issuer_key":"","hash":"7d4ead4e400ee409137f316ed7edafe561ea9517b9541ea6448e39e7fbc001a8"}
{"level":"debug","ts":1707068389.9182796,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"163.181.15.149","remote_port":"22230","subjects":["www.gkm.pw"],"managed":false,"expiration":1713553876,"hash":"7d4ead4e400ee409137f316ed7edafe561ea9517b9541ea6448e39e7fbc001a8"}
{"level":"debug","ts":1707068389.9658315,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707068389.968236,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.001739005,"request":{"remote_ip":"163.181.15.149","remote_port":"22230","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Ali-Swift-Urequest-Timeout":["30"],"Ali-Cdn-Adaptive-Ports":["443,443"],"X-Forwarded-Proto":["https"],"X-Client-Scheme":["https"],"Via":["ru3.l1, l2de2.l2"],"Ali-Proxy-Is-Free":["0"],"Accept-Encoding":["identity"],"Ali-Swift-Log-Host":["www.gkm.pw"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Swift-Ukeepalive-Timeout":["30"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Swift-Force-Ttl-Code":["400=0"],"User-Agent":["Go-http-client/2.0"],"Ali-Swift-Origin-Port":["443"],"X-Alicdn-Da-Via":["47.246.2.228,163.181.15.248"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"Ali-Proxy-Is-Hot":["0"],"Ali-Swift-Origin-Host":["gkm.pw"],"X-Forwarded-For":["193.200.74.177, 163.181.15.149"],"Ali-Cdn-Real-Port":["4596"],"Ali-Swift-Range-Cache":["on"],"Eagleeye-Traceid":["2ff6029b17070683898417788e"],"Ali-Swift-Origin-Scheme":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"www.gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Sun, 04 Feb 2024 17:39:49 GMT"]},"status":200}
{"level":"debug","ts":1707068391.2426512,"logger":"http.stdlib","msg":"http: TLS handshake error from 163.181.38.182:33896: EOF"}
{"level":"debug","ts":1707068392.0614164,"logger":"http.stdlib","msg":"http: TLS handshake error from 163.181.83.186:44374: EOF"}
{"level":"error","ts":1707068398.9574835,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"unexpected EOF"}
{"level":"error","ts":1707068398.9575624,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.001739005,"request":{"remote_ip":"163.181.15.149","remote_port":"22230","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Ali-Swift-Urequest-Timeout":["30"],"Ali-Cdn-Adaptive-Ports":["443,443"],"X-Forwarded-Proto":["https"],"X-Client-Scheme":["https"],"Via":["ru3.l1, l2de2.l2"],"Ali-Proxy-Is-Free":["0"],"Accept-Encoding":["identity"],"Ali-Swift-Log-Host":["www.gkm.pw"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Swift-Ukeepalive-Timeout":["30"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Swift-Force-Ttl-Code":["400=0"],"User-Agent":["Go-http-client/2.0"],"Ali-Swift-Origin-Port":["443"],"X-Alicdn-Da-Via":["47.246.2.228,163.181.15.248"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"Ali-Proxy-Is-Hot":["0"],"Ali-Swift-Origin-Host":["gkm.pw"],"X-Forwarded-For":["193.200.74.177, 163.181.15.149"],"Ali-Cdn-Real-Port":["4596"],"Ali-Swift-Range-Cache":["on"],"Eagleeye-Traceid":["2ff6029b17070683898417788e"],"Ali-Swift-Origin-Scheme":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"www.gkm.pw"}},"error":"reading: unexpected EOF"}
.

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

apt install caddy

a. System environment:

Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-92-generic x86_64

b. Command:

systemctl start caddy 

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
.

d. My complete Caddy config:

{
	log {
		level debug
		output file /var/log/caddy/debug.log
	}
	auto_https off
	servers {
		trusted_proxies static 163.181.0.0/16 47.246.0.0/16 8.0.0.0/9
	}
}

gkm.pw {
	tls /ssl/gkm.pw.pem /ssl/gkm.pw.key.pem
	tls /ssl/www.gkm.pw.pem /ssl/www.gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
		}
	}
}

5. Links to relevant resources:

Please run caddy fmt -w on your Caddyfile. The indentation is very messy, so it’s difficult to read.

This doesn’t make sense, you can only have one key-cert pair per site block.

From this log, it looks like your server is receiving HTTP/1.1 requests, not HTTP/2.

Without second key-cert, I get a certificate error for the ‘www’ subdomain hosted on the cdn.

The problem is that this request is sent by the CDN itself, which my client accesses through the ‘www’ subdomain, although HTTP/2 is enabled in the CDN settings.
Is it possible to make caddy update HTTP/1.1 to HTTP/2 before sending a request to the proxy server?

For example, I implemented a similar scheme using haproxy, adding alpn h2 to the key-cer directive in the frontend and backend and it worked both with the origin domain and with the subdomain hosted on the CDN, but since the tasks of our company became more complicated, we decided use the caddy server to implement this scheme and further solutions.

Then that’s correct, because you didn’t configure Caddy to serve a www. domain. You’d need to set up a second site block for that.

You can configure version in the http transport. It defaults to 1.1 2 which means both versions are enabled. The same version as the incoming request is preferred.

I added a second block for the www subdomain and specified the h2 version, but the result is the same, the reverse proxy works fine with the first block, but not with the second.

{
	log {
		level debug
		output file /var/log/caddy/debug.log
	}
	auto_https off
	servers {
		trusted_proxies static 163.181.0.0/16 47.246.0.0/16 8.0.0.0/9
	}
}

gkm.pw {
	tls /ssl/gkm.pw.pem /ssl/gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
		}
	}
}

www.gkm.pw {
	tls /ssl/www.gkm.pw.pem /ssl/www.gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			versions h2 2
		}
	}

If your upstream is expecting TLS-SNI to be set to gkm.pw, you’ll still need to keep that line.

Please don’t say “works” or “doesn’t work”. That’s not useful for troubleshooting. It’s too ambiguous.

Show actual evidence. Show your logs, show the actual error message you see. Show an example request with curl -v.

{
	log {
		level debug
		output file /var/log/caddy/debug.log
	}
	auto_https off
	servers {
		trusted_proxies static 163.181.0.0/16 47.246.0.0/16 8.0.0.0/9
	}
}

gkm.pw {
	tls /ssl/gkm.pw.pem /ssl/gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions h2 2
		}
	}
}

www.gkm.pw {
	tls /ssl/www.gkm.pw.pem /ssl/www.gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions h2 2
		}
	}

curl -v https://gkm.pw/akkl190219

*   Trying 31.129.111.230:443...
* Connected to gkm.pw (31.129.111.230) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=gkm.pw
*  start date: Jan 20 19:00:01 2024 GMT
*  expire date: Apr 19 19:00:00 2024 GMT
*  subjectAltName: host "gkm.pw" matched cert's "gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5596f790aeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /akkl190219 HTTP/2
> Host: gkm.pw
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
< date: Sun, 11 Feb 2024 20:34:23 GMT
< server: Caddy
< content-length: 0
<
* Connection #0 to host gkm.pw left intact

curl -v https://www.gkm.pw/akkl190219

*   Trying 163.181.1.227:443...
* Connected to www.gkm.pw (163.181.1.227) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.gkm.pw
*  start date: Jan 20 19:11:16 2024 GMT
*  expire date: Apr 19 19:11:15 2024 GMT
*  subjectAltName: host "www.gkm.pw" matched cert's "www.gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x565215821eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /akkl190219 HTTP/2
> Host: www.gkm.pw
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< server: Tengine
< content-length: 0
< strict-transport-security: max-age=5184000; includeSubDomains
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
< date: Sun, 11 Feb 2024 20:37:21 GMT
< via: cache1.l2us1[410,0], cache5.us13[419,0], cache5.ru6[523,0]
< timing-allow-origin: *, *
< eagleid: a3b5019917076838408505288e, a3b5019917076838408505288e
<
* Connection #0 to host www.gkm.pw left intact

error on the client when connecting via the www.gkm.pw subdomain hosted on the CDN before CADDY

[Warning] [2096307887] transport/internet/http: failed to dial to tcp:www.gkm.pw:443 > Put "https://www.gkm.pw:443/akkl190219": http2: Transport: cannot retry err [stream error: stream ID 1; PROTOCOL_ERROR; received from peer] after Request.Body was written; define Request.GetBody to avoid this error

Why do these have different IP addresses? Are those just both IPs of your CDN? (Just making sure there’s not some messed up DNS causing trouble here.)

Are you sure you reloaded Caddy after making your config changes?

What do your Caddy logs have at this point?

h2 isn’t a valid version, it should be only 2 or h2c 2 if you’d want to allow plaintext HTTP/2, but you’re using TLS here, so only 2 makes sense. But anyway, doesn’t matter because Caddy is only checking “does 2 exist in the list”.

I just checked the source code, we’re not actually checking for 1.1 at all, so I think not specifying 1.1 doesn’t turn off HTTP/1.1 at all.

We might need to make some changes to allow that to force HTTP/2.

But anyway, TLS-ALPN negotiation does happen during the TLS handshake with the upstream. If you have any way to configure ALPNs on your upstream app, then you could make sure HTTP/1.1 isn’t advertised.

These are the origin server ip address of the origin domain gkm.pw

Tthis is the ip address subnet of the CDN, which hosts the www.gkm.pw subdomain, or rather its cname record which in turn accesses the origin gkm.pw domain (31.129.111.230) to deliver content in the future:

Снимок экрана (62)1898×270 19.3 KB

I have no problems with DNS records, the test site works successfully with both the original gkm.pw domain and its subdomain www.gkm.pw, and the tls handshake is successful.

I restarted the caddy again just to be sure, after first changing the caddyfile “versions h2 2” to “versions 2”

{
	log {
		level debug
		output file /var/log/caddy/debug.log
	}
	auto_https off
	servers {
		trusted_proxies static 163.181.0.0/16 47.246.0.0/16 8.0.0.0/9
	}
}

gkm.pw {
	tls /ssl/gkm.pw.pem /ssl/gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions 2
		}
	}
}

www.gkm.pw {
	tls /ssl/www.gkm.pw.pem /ssl/www.gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions 2
		}
	}

Successful connection from the client to https://gkm.pw/akkl190219:

{"level":"debug","ts":1707722509.961475,"logger":"events","msg":"event","name":"tls_get_certificate","id":"490a71bb-96ec-44b2-b0db-8b3d9f0b6a87","origin":"tls","data":{"client_hello":{"CipherSuites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"gkm.pw","SupportedCurves":[60138,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"193.200.74.177","Port":14146,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707722509.9625015,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707722509.9627776,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707722509.9629803,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"193.200.74.177","remote_port":"14146","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707722510.1211505,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707722510.1638484,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.042370636,"request":{"remote_ip":"193.200.74.177","remote_port":"14146","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 07:21:50 GMT"]},"status":200}
{"level":"error","ts":1707722510.5547247,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"client disconnected"}
{"level":"error","ts":1707722510.5549297,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.042370636,"request":{"remote_ip":"193.200.74.177","remote_port":"14146","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"reading: client disconnected"}
{"level":"debug","ts":1707722512.9239733,"logger":"events","msg":"event","name":"tls_get_certificate","id":"a650ba0e-6fb1-4b0b-8397-f4a0d934c294","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"gkm.pw","SupportedCurves":[10794,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"RemoteAddr":{"IP":"193.200.74.177","Port":14152,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707722512.9244623,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707722512.92457,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707722512.9247246,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"193.200.74.177","remote_port":"14152","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707722513.0838885,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707722513.0859134,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.001671663,"request":{"remote_ip":"193.200.74.177","remote_port":"14152","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 07:21:53 GMT"]},"status":200}
{"level":"error","ts":1707722513.2141883,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"stream error: stream ID 1; CANCEL"}
{"level":"error","ts":1707722513.214654,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.001671663,"request":{"remote_ip":"193.200.74.177","remote_port":"14152","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"reading: stream error: stream ID 1; CANCEL"}
{"level":"debug","ts":1707722513.2350452,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707722513.23672,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.001008171,"request":{"remote_ip":"193.200.74.177","remote_port":"14152","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 07:21:53 GMT"]},"status":200}
{"level":"error","ts":1707722522.6057498,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.001008171,"request":{"remote_ip":"193.200.74.177","remote_port":"14152","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"Accept-Encoding":["identity"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"error":"writing: http2: stream closed"}

curl -v https://gkm.pw/akkl190219

*   Trying 31.129.111.230:443...
* Connected to gkm.pw (31.129.111.230) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=gkm.pw
*  start date: Jan 20 19:00:01 2024 GMT
*  expire date: Apr 19 19:00:00 2024 GMT
*  subjectAltName: host "gkm.pw" matched cert's "gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55edc4d79eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /akkl190219 HTTP/2
> Host: gkm.pw
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
< date: Mon, 12 Feb 2024 07:24:26 GMT
< server: Caddy
< content-length: 0
<
* Connection #0 to host gkm.pw left intact

Unsuccessful connection from client to https://www.gkm.pw/akkl190219

{"level":"debug","ts":1707723034.0820365,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1b9f8827-52c4-4be2-a63b-24bee12dd369","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,4867,198,199,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"gkm.pw","SupportedCurves":[29,23,30,25,24,41],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,1800,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"163.181.15.154","Port":35912,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707723034.0824506,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707723034.0826993,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707723034.0828054,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"163.181.15.154","remote_port":"35912","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707723034.1320012,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707723034.1348138,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.002512431,"request":{"remote_ip":"163.181.15.154","remote_port":"35912","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"X-Alicdn-Da-Via":["163.181.1.224,163.181.15.243"],"Ali-Swift-Origin-Host":["gkm.pw"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Swift-Force-Ttl-Code":["400=0"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177, 163.181.15.154"],"X-Client-Scheme":["https"],"Ali-Swift-Ukeepalive-Timeout":["30"],"Ali-Swift-Origin-Scheme":["https"],"Ali-Swift-Origin-Port":["443"],"Ali-Swift-Range-Cache":["on"],"Ali-Proxy-Is-Free":["0"],"Ali-Cdn-Adaptive-Ports":["443,443"],"Via":["ru6.l1, l2de2.l2"],"Accept-Encoding":["identity"],"X-Forwarded-Proto":["https"],"Eagleeye-Traceid":["a3b5019617077230340043684e"],"Ali-Proxy-Is-Hot":["0"],"Ali-Swift-Urequest-Timeout":["30"],"Ali-Swift-Log-Host":["www.gkm.pw"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Cdn-Real-Port":["3212"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 07:30:34 GMT"]},"status":200}
{"level":"error","ts":1707723043.5787535,"logger":"http.handlers.reverse_proxy","msg":"reading from backend","error":"unexpected EOF"}
{"level":"error","ts":1707723043.5788438,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"127.0.0.1:15450","duration":0.002512431,"request":{"remote_ip":"163.181.15.154","remote_port":"35912","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"X-Alicdn-Da-Via":["163.181.1.224,163.181.15.243"],"Ali-Swift-Origin-Host":["gkm.pw"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Swift-Force-Ttl-Code":["400=0"],"User-Agent":["Go-http-client/2.0"],"X-Forwarded-For":["193.200.74.177, 163.181.15.154"],"X-Client-Scheme":["https"],"Ali-Swift-Ukeepalive-Timeout":["30"],"Ali-Swift-Origin-Scheme":["https"],"Ali-Swift-Origin-Port":["443"],"Ali-Swift-Range-Cache":["on"],"Ali-Proxy-Is-Free":["0"],"Ali-Cdn-Adaptive-Ports":["443,443"],"Via":["ru6.l1, l2de2.l2"],"Accept-Encoding":["identity"],"X-Forwarded-Proto":["https"],"Eagleeye-Traceid":["a3b5019617077230340043684e"],"Ali-Proxy-Is-Hot":["0"],"Ali-Swift-Urequest-Timeout":["30"],"Ali-Swift-Log-Host":["www.gkm.pw"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Cdn-Real-Port":["3212"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"gkm.pw"}},"error":"reading: unexpected EOF"}

curl -v https://www.gkm.pw/akkl190219

*   Trying 163.181.1.226:443...
* Connected to www.gkm.pw (163.181.1.226) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.gkm.pw
*  start date: Jan 20 19:11:16 2024 GMT
*  expire date: Apr 19 19:11:15 2024 GMT
*  subjectAltName: host "www.gkm.pw" matched cert's "www.gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x555a47cb0eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /akkl190219 HTTP/2
> Host: www.gkm.pw
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< server: Tengine
< content-length: 0
< strict-transport-security: max-age=5184000; includeSubDomains
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
< date: Mon, 12 Feb 2024 07:34:12 GMT
< via: cache19.l2de2[155,0], cache1.ru6[193,0]
< timing-allow-origin: *
< eagleid: a3b5019517077232519832940e
<
* Connection #0 to host www.gkm.pw left intact

client error

[Warning] [2896692066] transport/internet/http: failed to dial to tcp:www.gkm.pw:443 > Put "https://www.gkm.pw:443/akkl190219": http2: Transport: cannot retry err [stream error: stream ID 1; PROTOCOL_ERROR; received from peer] after Request.Body was written; define Request.GetBody to avoid this error

I am sure that ALPN HTTP/1.1 is not advertised among either sources or clients ( transmission only h2, ALPN only h2).
The only thing I know for sure from the documentation is that the CDN forwards requests to the user origin using HTTP/1.1.
In the CDN settings, all options related to HTTPS and HTTP/2.0 are enabled

Can you provide a minimal golang requests snippets to reproduce this problem? I see the error log is PUT request, but the curl requests are GET.

Request to the source?

Your curl command shows:

But your logs show:

This is inconsistent. Can you make sure the log you copy is from the curl command you sent? Or if PUT is actually the problem, then make a PUT with curl.

Please copy-paste your terminal output, photos of your screen are really difficult to parse.

I have already provided this data above in copy/paste format, the photo is only to confirm that I am not mistaken with the output of curl -v

curl -X PUT https://gkm.pw/akkl190219

{"level":"debug","ts":1707735474.363862,"logger":"events","msg":"event","name":"tls_get_certificate","id":"678e6310-8762-409e-bb38-481db7231648","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"gkm.pw","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"193.200.74.177","Port":65500,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707735474.3651083,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707735474.365443,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707735474.3656375,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"193.200.74.177","remote_port":"65500","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707735474.3735147,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707735474.3760695,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.002201755,"request":{"remote_ip":"193.200.74.177","remote_port":"65500","client_ip":"193.200.74.177","proto":"HTTP/2.0","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["193.200.74.177"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 10:57:54 GMT"]},"status":200}

curl -X PUT https://www.gkm.pw/akkl190219

{"level":"debug","ts":1707735626.2261376,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4ea0200d-e1b4-4f32-aef4-1dc971fff534","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,4867,198,199,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"gkm.pw","SupportedCurves":[29,23,30,25,24,41],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,1800,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"163.181.15.153","Port":44312,"Zone":""},"LocalAddr":{"IP":"31.129.111.230","Port":443,"Zone":""}}}}
{"level":"debug","ts":1707735626.2268293,"logger":"tls.handshake","msg":"choosing certificate","identifier":"gkm.pw","num_choices":1}
{"level":"debug","ts":1707735626.2270222,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"gkm.pw","subjects":["gkm.pw"],"managed":false,"issuer_key":"","hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707735626.2271135,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"163.181.15.153","remote_port":"44312","subjects":["gkm.pw"],"managed":false,"expiration":1713553201,"hash":"e31c18709c42f5db2eae3032047b22e34cf6f3c1bafb24e4d80dc2deba9d5e01"}
{"level":"debug","ts":1707735626.277443,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:15450","total_upstreams":1}
{"level":"debug","ts":1707735626.2920127,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:15450","duration":0.014159797,"request":{"remote_ip":"163.181.15.153","remote_port":"44312","client_ip":"193.200.74.177","proto":"HTTP/1.1","method":"PUT","host":"gkm.pw","uri":"/akkl190219","headers":{"X-Alicdn-Da-Via":["163.181.1.226,163.181.15.243"],"Ali-Cdn-Real-Ip":["193.200.74.177"],"Ali-Swift-Origin-Scheme":["https"],"Ali-Swift-Force-Ttl-Code":["400=0"],"Ali-Swift-Urequest-Timeout":["30"],"Ali-Swift-Stat-Host":["www.gkm.pw"],"Ali-Tproxy-Urequest-Timeout":["30"],"Ali-Cdn-Adaptive-Ports":["443,443"],"Ali-Swift-Origin-Host":["gkm.pw"],"Ali-Swift-Ukeepalive-Timeout":["30"],"X-Forwarded-For":["193.200.74.177, 163.181.15.153"],"Accept":["*/*"],"Ali-Swift-Log-Host":["www.gkm.pw"],"X-Client-Scheme":["https"],"Ali-Cdn-Real-Port":["11934"],"Ali-Proxy-Is-Hot":["0"],"Eagleeye-Traceid":["a3b5019b17077356261422967e"],"Ali-Proxy-Is-Free":["0"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["gkm.pw"],"User-Agent":["curl/7.81.0"],"Ali-Swift-Range-Cache":["on"],"Ali-Cdn-Appview-Name":["cdn-tengine"],"Ali-Swift-Origin-Port":["443"],"Via":["ru6.l1, l2de2.l2"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"gkm.pw"}},"headers":{"Cache-Control":["no-store"],"Date":["Mon, 12 Feb 2024 11:00:26 GMT"]},"status":200}

There are no problems with these two requests. Both return 200.

{
	log {
		level debug
		output file /var/log/caddy/debug.log
	}
	auto_https off
	servers {
		trusted_proxies static 163.181.0.0/16 47.246.0.0/16 8.0.0.0/9
         enable_full_duplex
	}
}

gkm.pw {
	tls /ssl/gkm.pw.pem /ssl/gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions 2
		}
	}
}

www.gkm.pw {
	tls /ssl/www.gkm.pw.pem /ssl/www.gkm.pw.key.pem
	root * /var/www/html/
	file_server
	@http2only {
		path /akkl190219
	}
	reverse_proxy @http2only 127.0.0.1:15450 {
		transport http {
			tls_server_name gkm.pw
			versions 2
		}
	}

I don’t understand why, but it worked for me and my client server connects through a subdomain to the CDN when I added the “enable_full_duplex” directive to the global options servers, but another problem occurs, the origin domain stops working on HTTP/2.0, is it possible to enable " enable_full_duplex" in Caddy upon request?
Here is a fragment of the log when accessing the site https://gkm.pw via HTTP/2.0:

{"level":"debug","ts":1707815749.5234563,"logger":"http.stdlib","msg":"http2: panic serving 193.200.74.177:1580: runtime error: invalid memory address or nil pointer dereference\ngoroutine 180 [running]:\ngolang.org/x/net/http2.(*serverConn).runHandler.func1()\n\tgolang.org/x/net@v0.17.0/http2/server.go:2361 +0x13b\npanic({0x175c7a0?, 0x2ae8ef0?})\n\truntime/panic.go:914 +0x21f\ngo.uber.org/zap.(*Logger).check(0x0, 0x1, {0x19e6574, 0x1c})\n\tgo.uber.org/zap@v1.25.0/logger.go:304 +0x5e\ngo.uber.org/zap.(*Logger).Warn(0xc00017a200?, {0x19e6574?, 0x1e86a90?}, {0xc0002e48c0, 0x1, 0x1})\n\tgo.uber.org/zap@v1.25.0/logger.go:227 +0x38\ngithub.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc0002f9080, {0x1e86a90, 0xc000428120}, 0xc00017a200)\n\tgithub.com/caddyserver/caddy/v2@v2.7.6/modules/caddyhttp/server.go:296 +0x98a\nnet/http.serverHandler.ServeHTTP({0x1?}, {0x1e86a90?, 0xc000428120?}, 0x69cfad?)\n\tnet/http/server.go:2938 +0x8e\nnet/http.initALPNRequest.ServeHTTP({{0x1e8a1d0?, 0xc000243b30?}, 0xc000378700?, {0xc0002805a0?}}, {0x1e86a90, 0xc000428120}, 0xc00017a200)\n\tnet/http/server.go:3546 +0x231\ngolang.org/x/net/http2.(*serverConn).runHandler(0x76d8a8?, 0xc0004934d0?, 0x1e8a1d0?, 0xc0004dcc00?)\n\tgolang.org/x/net@v0.17.0/http2/server.go:2368 +0xbb\ncreated by golang.org/x/net/http2.(*serverConn).scheduleHandler in goroutine 163\n\tgolang.org/x/net@v0.17.0/http2/server.go:2303 +0x21d"}
{"level":"debug","ts":1707815750.6912243,"logger":"http.stdlib","msg":"http2: panic serving 193.200.74.177:1580: runtime error: invalid memory address or nil pointer dereference\ngoroutine 184 [running]:\ngolang.org/x/net/http2.(*serverConn).runHandler.func1()\n\tgolang.org/x/net@v0.17.0/http2/server.go:2361 +0x13b\npanic({0x175c7a0?, 0x2ae8ef0?})\n\truntime/panic.go:914 +0x21f\ngo.uber.org/zap.(*Logger).check(0x0, 0x1, {0x19e6574, 0x1c})\n\tgo.uber.org/zap@v1.25.0/logger.go:304 +0x5e\ngo.uber.org/zap.(*Logger).Warn(0xc00017a600?, {0x19e6574?, 0x1e86a90?}, {0xc0002e4980, 0x1, 0x1})\n\tgo.uber.org/zap@v1.25.0/logger.go:227 +0x38\ngithub.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc0002f9080, {0x1e86a90, 0xc000428130}, 0xc00017a600)\n\tgithub.com/caddyserver/caddy/v2@v2.7.6/modules/caddyhttp/server.go:296 +0x98a\nnet/http.serverHandler.ServeHTTP({0xc00005ad70?}, {0x1e86a90?, 0xc000428130?}, 0x418688?)\n\tnet/http/server.go:2938 +0x8e\nnet/http.initALPNRequest.ServeHTTP({{0x1e8a1d0?, 0xc000243b30?}, 0xc000378700?, {0xc0002805a0?}}, {0x1e86a90, 0xc000428130}, 0xc00017a600)\n\tnet/http/server.go:3546 +0x231\ngolang.org/x/net/http2.(*serverConn).runHandler(0x76d8a8?, 0xc000493680?, 0x1e8a1d0?, 0xc0004dd080?)\n\tgolang.org/x/net@v0.17.0/http2/server.go:2368 +0xbb\ncreated by golang.org/x/net/http2.(*serverConn).scheduleHandler in goroutine 163\n\tgolang.org/x/net@v0.17.0/http2/server.go:2303 +0x21d"}
{"level":"debug","ts":1707815755.824716,"logger":"http.stdlib","msg":"http2: panic serving 193.200.74.177:1580: runtime error: invalid memory address or nil pointer dereference\ngoroutine 186 [running]:\ngolang.org/x/net/http2.(*serverConn).runHandler.func1()\n\tgolang.org/x/net@v0.17.0/http2/server.go:2361 +0x13b\npanic({0x175c7a0?, 0x2ae8ef0?})\n\truntime/panic.go:914 +0x21f\ngo.uber.org/zap.(*Logger).check(0x0, 0x1, {0x19e6574, 0x1c})\n\tgo.uber.org/zap@v1.25.0/logger.go:304 +0x5e\ngo.uber.org/zap.(*Logger).Warn(0xc00017aa00?, {0x19e6574?, 0x1e86a90?}, {0xc0002e4a40, 0x1, 0x1})\n\tgo.uber.org/zap@v1.25.0/logger.go:227 +0x38\ngithub.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc0002f9080, {0x1e86a90, 0xc000428140}, 0xc00017aa00)\n\tgithub.com/caddyserver/caddy/v2@v2.7.6/modules/caddyhttp/server.go:296 +0x98a\nnet/http.serverHandler.ServeHTTP({0xc00005ad70?}, {0x1e86a90?, 0xc000428140?}, 0x418688?)\n\tnet/http/server.go:2938 +0x8e\nnet/http.initALPNRequest.ServeHTTP({{0x1e8a1d0?, 0xc000243b30?}, 0xc000378700?, {0xc0002805a0?}}, {0x1e86a90, 0xc000428140}, 0xc00017aa00)\n\tnet/http/server.go:3546 +0x231\ngolang.org/x/net/http2.(*serverConn).runHandler(0x2b58b80?, 0x0?, 0x0?, 0xc0004dd080?)\n\tgolang.org/x/net@v0.17.0/http2/server.go:2368 +0xbb\ncreated by golang.org/x/net/http2.(*serverConn).scheduleHandler in goroutine 163\n\tgolang.org/x/net@v0.17.0/http2/server.go:2303 +0x21d"}

curl -v https://gkm.pw/akkl190219

~# curl -v https://gkm.pw/akkl190219
*   Trying 31.129.111.230:443...
* TCP_NODELAY set
* Connected to gkm.pw (31.129.111.230) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=gkm.pw
*  start date: Jan 20 19:00:01 2024 GMT
*  expire date: Apr 19 19:00:00 2024 GMT
*  subjectAltName: host "gkm.pw" matched cert's "gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x564237870dd0)
> GET /akkl190219 HTTP/2
> Host: gkm.pw
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
* stopped the pause stream!
* Connection #0 to host gkm.pw left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)

curl -v https://www.gkm.pw/akkl190219

# curl -v https://www.gkm.pw/akkl190219
*   Trying 47.246.44.231:443...
* TCP_NODELAY set
* Connected to www.gkm.pw (47.246.44.231) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.gkm.pw
*  start date: Jan 20 19:11:16 2024 GMT
*  expire date: Apr 19 19:11:15 2024 GMT
*  subjectAltName: host "www.gkm.pw" matched cert's "www.gkm.pw"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5561e7f71dd0)
> GET /akkl190219 HTTP/2
> Host: www.gkm.pw
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: Tengine
< content-length: 0
< strict-transport-security: max-age=5184000; includeSubDomains
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
< date: Tue, 13 Feb 2024 09:21:25 GMT
< via: cache5.l2de2[148,0], cache8.se1[171,0]
< timing-allow-origin: *
< eagleid: 2ff62c9c17078160857698605e
<
* Connection #0 to host www.gkm.pw left intact

Ah, interesting, would’ve never considered that would help here, since it’s an HTTP/1.1-specific feature.

Interesting. I see the problem, we were trying to enable full duplex for HTTP/2 which never works, and trying to log caused a panic. Fixed here:

Could you try a build from that branch to confirm that everything works as expected?

It works !!! The problem is solved, thank you all so much for your help !!!