Resolved Cannot use HTTP2 because cross-origin issue

[PeopleInside]

THIS looks to be a BUG or something someone of Plesk should explain!

1. If I activating HTTP 2 generate cross origin errors on my web installations. Error is present in console browser and my widget self-hosted chat is not showed on external domains.
2. If HTTP2 is deactivated all works but I'm using the old HTTP 1 protocol so is not good

The error that is generating if HTTP2 is active is: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed

• If I stop (kill) the Reverse proxy server (nginx) all works but not HTTP2
• If HTTP2 is stopped HTTP 1 (old) is supported

By activating the HTTP2 I get errors because I have a live chat widget (live helper chat, open source) that use DOMAIN 1 , if I use the widget in the DOMAIN 1 all works fine but if I need use the widget in DOMAIN 2 is not working because the web browser console say: blocked for cross-origin, missing the Access-Control-Allow-Origin directive. This happen only if HTTP2 is active.

So I add this directive following what is reported in the Plesk guide: How to set up CORS (cross-origin resource sharing) in Plesk for Linux? I get:
https://talk.plesk.com/attachments/01-png.19750/

Seems the directive when I add is added two times or maybe is added incorrectly.

I tried to change the directive to a specific domain and I get Access-Control-Allow-Origin never match "*, domain.ext" so seems is not added twice, seems a rule to allow wildcard domain, all domain is always added if I insert a custom rule but if I don't insert Access-Control-Allow-Origin "*" the directive is not present, if I insert is inserted wrong and never work.


My previous topic flagged as resolved but is not resolved: Resolved - Issue with cross-origin, Plesk is locking
Now I know the issue is created from HTTP2 and, if the process is stopped as in the GIF, the issue it resolves but HTTPs2 is no more enabled.
Killing the process disable the HTTP2 support, something I want to avoid.

How can I have HTTP2 enabled without the cross-origin issue?
Can be this confirmed as bug? How can I report to Plesk Team?

Seems Apache only is currently not supported by Plesk to have HTTP2 support.
https://talk.plesk.com/threads/http2-enabled-apache-still-using-1-0.352287

I don't know if this is one cause of the issue. Plesk is using Ningix and Apache creating issue with CORS?



Thanks



The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

If I stop the nginx proxy the issue is resolved but I loose HTTP2 , I want have HTTP2


Any help will be appreciated.

 

[PeopleInside]

I tried also to turn off Proxy mode setting on Service Plans > Example Plan > Web Server but still have the same CORS issue.
The only way I get no issue is by disabling HTTP2 by killing the Reverse proxy server nginx service.

I want have HTTP2 and have no issue with CORS and not, as now, choose between support CORS or support HTTP 2 only.

 

[PeopleInside]

Should be this reported as bug or not?
If not anyone can help me to understand where I am wrong?

I don't know if with my profile I'm able to report a bug.
I will wait some day to see how this discussion is going.

Thank you very much for the help.
At the moment this seems the last issue I need resolve on Plesk after my happy migration.

 

[PeopleInside]

Solution: Forwarded to devs - HTTP2 and CORS issues

From Plesk developer:

The problem is not related to HTTP 2 and not a bug in Plesk.

Live Helper Chat (LHC) inserts CORS headers for dynamic content by itself and for static content it relies on Apache .htaccess config. By default Plesk uses nginx in reverse proxy mode with nginx serving static content as directed by X-Accel-Redirect header set by Apache (see Apache with nginx). Unfortunately, in this mode nginx loses CORS headers for static content, which were set in .htaccess and emitted by Apache. Therefore, the client receives no CORS headers for static content and that's why LHC doesn't work in cross-origin setting with Plesk by default.

Setting Access-Control-Allow-Origin for all content in nginx config as per https://support.plesk.com/hc/en-us/...s-origin-resource-sharing-in-Plesk-for-Linux- doesn't help either, because then CORS headers are duplicated for dynamic content (set both by LHC and by nginx).

You can fix this problem by reproducing LHC .htaccess configuration in nginx config only for static content served by nginx. To do this, use the following additional nginx directives (replacing "example.org" with your domain name):

location ~* ^/internal-nginx-static-location/(.+\.(gif|jpe?g?|png|bmp|swf|css|js|svg|otf|eot|ttf|woff|woff2|swf|mp3|ogg|wasm|wav|pdf|ico|txt))$ {
    alias /var/www/vhosts/example.org/httpdocs/$1;
    internal;
    add_header Access-Control-Allow-Origin '*';
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS, PUT, DELETE';
    add_header Access-Control-Allow-Headers 'Origin, X-Requested-With, Content-Type, Accept, API-Key, Authorization, X-Test';
}

You may also limit the scope of these directives by setting appropriate regular expression. For example, if your LHC is installed in the "lhc_web" subdirectory, you can use "location ~* ^/internal-nginx-static-location/(lhc_web/.+\.(gif|jpe?g?|png|bmp|swf|css|js|svg|otf|eot|ttf|woff|woff2|swf|mp3|ogg|wasm|wav|pdf|ico|txt))$" above. Then CORS headers will be added to LHC static content only.

Thank you very much to this forum, to Plesk team for helping me to sort out this last issue for me!