I configured nginx + spnego module to login users via sso at specific address and noticed that as soon as that happens chrome forces http/1.1 for entire subdomain. Without SSO whole site is working with http/2. Nginx is (1.15.0), spnego module from github and current chrome (v71).
I turned on debug information in nginx and there is:
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL ALPN supported by client: h2
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL ALPN supported by client: http/1.1
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL ALPN selected: h2
2019/01/07 14:39:11 [debug] 42132#42132: *2379 SSL ALPN supported by client: h2
2019/01/07 14:39:11 [debug] 42132#42132: *2379 SSL ALPN supported by client: http/1.1
2019/01/07 14:39:11 [debug] 42132#42132: *2379 SSL ALPN selected: h2
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL_do_handshake: -1
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL_get_error: 2
2019/01/07 14:39:11 [debug] 42129#42129: *2378 reusable connection: 0
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL handshake handler: 0
2019/01/07 14:39:11 [debug] 42129#42129: *2378 ssl new session: 057AF550:32:184
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL_do_handshake: 1
2019/01/07 14:39:11 [debug] 42129#42129: *2378 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2019/01/07 14:39:11 [debug] 42129#42129: *2378 init http2 connection
At this stage it's ok - it's http2, but modules sends 401 code and ask for credentials:
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 header filter
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 push resources
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: ":status: 401"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "server: nginx"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "date: Mon, 07 Jan 2019 13:41:05 GMT"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "content-type: text/html; charset=utf-8"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "content-length: 590"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "www-authenticate: Negotiate"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 output header: "strict-transport-security: max-age=63072000; includeSubDomains; preload"
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2:5 create HEADERS frame 000055B593338C60: len:133 fin:0
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http cleanup add: 000055B593338D58
2019/01/07 14:41:05 [debug] 42129#42129: *2378 http2 frame out: 000055B593338C60 sid:5 bl:1 len:133
To this point h2 seems to work fine, after that chrome sends only http 1.1 alpn in response to 401 page:
2019/01/07 14:41:05 [debug] 42129#42129: *2378 reusable connection: 1
2019/01/07 14:41:05 [debug] 42129#42129: *2378 event timer del: 53: 8023593525
2019/01/07 14:41:05 [debug] 42129#42129: *2378 event timer add: 53: 180000:8023706453
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL ALPN supported by client: http/1.1
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL ALPN selected: http/1.1
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL_do_handshake: -1
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL_get_error: 2
2019/01/07 14:41:05 [debug] 42129#42129: *4179 reusable connection: 0
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL handshake handler: 0
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL_do_handshake: 1
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2019/01/07 14:41:05 [debug] 42129#42129: *4179 SSL reused session
2019/01/07 14:41:05 [debug] 42129#42129: *4179 reusable connection: 1
2019/01/07 14:41:05 [debug] 42129#42129: *4179 http wait request handler
After that everything will be in http/1 for whole domain. I configured wildcard server in nginx and tested that many times - until auth h2, and after auth http1. For now I will move auth endpoint to another subdomain so chrome will not force http1 for application but I'm still looking to fix. I checked ssl, cert, ciphers - that doesn't change on http/1 and http/2, and it's not any antivirus software. Also I'm unable to clear that state and FORCE http/2 after login, the only thing that helps is to kill chrome process. Clearing app cache doesn't help.
It works in IE and EDGE. Firefox by default don't support SSO and policies.
How can I force Chrome to use http/2 for domain? If it's not possible to do that on auth page, how can I force that to other pages except one url? Anyone know how can I force chrome to renegotiate http/2 in dev tools. Also I could not find any logs and error in chrome about switch from http/2 to v1
This is a known bug in Chrome. It is a knock on effect of the fact that Chrome doesn't support SSO over HTTP/2 but also does not support some HTTP/1 and some HTTP/2 connections to the same domain.
See bug here https://bugs.chromium.org/p/chromium/issues/detail?id=832586
And particularly the comment at the bottom:
The root of the problem here is that the network stack currently does not support concurrent HTTP/1.1 and HTTP/2 connections to the same server. See issue 685741 comments 10 and 11 about opinions on this possibility.