search cancel

Troubleshooting HTTP/2 traffic in WSS

book

Article ID: 253017

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

How do I troubleshoot HTTP/2 issues in WSS?

How can I disable HTTP2 for a specific website?

Cause

Compatibility issue between HTTP2 client and server via WSS.

Resolution

Collect data: 

 

Depending on whether you manage WSS policy with UPE (Management Center) or from the WSS Portal, you can disable HTTP/2 in one of the following ways: 


(A) UPE: Disable SSL Inspection (disable HTTP/2 for a specific website)

With UPE-managed policy

1. Create a CPL layer

2. Add this CPL policy (this will disable SSL interception): 

#if enforcement=wss
<ssl-intercept>
  url.domain="testsite.com" ssl.forward_proxy(no)
#endif

 

(B) UPE: Disable HTTP/2 (downgrade the connections to HTTP/1.1)

With UPE-managed policy: 

1. Create a CPL layer

2. Add this CPL policy (SSL interception still works): 

#if enforcement=wss
  <proxy> client.connection.ssl_server_name.substring=testsite.com http2.client.accept(no) http2.server.request(no)
#endif

 

(C) Portal: Disable SSL Inspection (disable HTTP/2 for a specific website)

With WSS Portal-managed policy: 

1. Add an SSL interception bypass rule for the domain: 

WSS Portal: Policy
->TLS / SSL Interception
-> TLS / SSL Interception Policy
-> Add rule where 'Destination' is the problem domain and 'Verdict' is 'Do not intercept'

Additional Information

The quickest way of validating whether the issue is related to the HTTP/2 protocol or not is to disable HTTP/2 from the browser side.

If you suspect that HTTP/2 is the source of the problem, run Chrome with HTTP/2 disabled using the command below, confirm that all requests are sent with HTTP/1.1 (Developer tool HAR file) and that all works as expected.

C:\Program Files (x86)\Google\Chrome\Application> chrome.exe --disable-http2