• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs HTTP2 and CORS issues

PeopleInside

Regular Pleskian
Username:

TITLE

HTTP2 and CORS issues

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.40, Ubuntu 20.4, Apache, PHP 8.0

PROBLEM DESCRIPTION

If HTTP2 is activated I start to have issues with CORS also if I insert the directive Access-Control-Allow-Origin: "*"
If I don't insert the directive I get missed CORS, if I insert the directive I get blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

STEPS TO REPRODUCE

I have DOMAIN 1, DOMAIN 2, DOMAIN 3

On Domain 1 is installed an Open Source Chat called Live Helper Chat ( Live helper chat - open source live support chat with bot, Voice, Video, ScreenShare support. - GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot. )

On DOMAIN 1, 2 and 3 the live chat widget is installed on this three websites and works only if HTTP2 is deactivated on Plesk.

As soon I activate HTTP2 the live chat widget is just visible on the domain where is installed (Domain 1) and no more on Domain 2 and 3 with the browser console error: CORS directive missed.

So I follow the Plesk guide: How to set up CORS (cross-origin resource sharing) in Plesk for Linux?
so added Access-Control-Allow-Origin: "*" to Domains > example.com > Apache & nginx Settings.
Now the issue will be the following browser console error on domain 2 and 3: blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

I disabled also .htaccess presents on folders but the issue persist.

Without HTTP2 all works, with HTTP2 Live Helper Chat Widget stop to work and when I add the rule to allow it on Plesk Access-Control-Allow-Origin: "*" I get the strange error: blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

If I don't add this rule the error is missed CORS directive.

Finally I need stop the reverse proxy server (nginx) for have HTTP1 back and all work to normal but I want have HTTP2

ACTUAL RESULT

I'm unable to use HTTP2
All works with HTTP1
See STEPS TO REPRODUCE for more details.

There are also two Plesk discussion unresolved:
  1. Resolved - Issue with cross-origin, Plesk is locking (Flagged as resolved but is not)
  2. Issue - Cannot use HTTP2 because cross-origin issue

EXPECTED RESULT

When I activate HTTP2 I don't expect things get broken.
Why HTTP2 require additional CORS directive and why if I follow the Plesk guide How to set up CORS (cross-origin resource sharing) in Plesk for Linux? seems the rule active is two so invalid rule and as soon I remove the rule added no rule are present so still get the error CORS missed?

EXPECTED RESULT is to have HTTP2 working as HTTP1 and in any case if CORS works differently in HTTP2 I should resolve adding the rule following the Plesk guide but I see duplicate rule who broke Live Helper Chat

ANY ADDITIONAL INFORMATION

I think all informations has been added on previous field.
Please help me to understand if is a bug, if the Plesk guide is not complete or clear (https://support.plesk.com/hc/en-us/...s-origin-resource-sharing-in-Plesk-for-Linux-)

The Plesk guide say:

Warning: Only one header Access-Control-Allow-Origin can be added. CORS will not work if the header is defined both in nginx and Apache, or twice for Apache or nginx respectively.

but there is no indication on how resolve the issue I'm facing.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out
 
From Plesk developer:

The problem is not related to HTTP 2 and not a bug in Plesk.

Live Helper Chat (LHC) inserts CORS headers for dynamic content by itself and for static content it relies on Apache .htaccess config. By default Plesk uses nginx in reverse proxy mode with nginx serving static content as directed by X-Accel-Redirect header set by Apache (see Apache with nginx). Unfortunately, in this mode nginx loses CORS headers for static content, which were set in .htaccess and emitted by Apache. Therefore, the client receives no CORS headers for static content and that's why LHC doesn't work in cross-origin setting with Plesk by default.

Setting Access-Control-Allow-Origin for all content in nginx config as per https://support.plesk.com/hc/en-us/...s-origin-resource-sharing-in-Plesk-for-Linux- doesn't help either, because then CORS headers are duplicated for dynamic content (set both by LHC and by nginx).

You can fix this problem by reproducing LHC .htaccess configuration in nginx config only for static content served by nginx. To do this, use the following additional nginx directives (replacing "example.org" with your domain name):

Code:
location ~* ^/internal-nginx-static-location/(.+\.(gif|jpe?g?|png|bmp|swf|css|js|svg|otf|eot|ttf|woff|woff2|swf|mp3|ogg|wasm|wav|pdf|ico|txt))$ {
    alias /var/www/vhosts/example.org/httpdocs/$1;
    internal;
    add_header Access-Control-Allow-Origin '*';
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS, PUT, DELETE';
    add_header Access-Control-Allow-Headers 'Origin, X-Requested-With, Content-Type, Accept, API-Key, Authorization, X-Test';
}

You may also limit the scope of these directives by setting appropriate regular expression. For example, if your LHC is installed in the "lhc_web" subdirectory, you can use "location ~* ^/internal-nginx-static-location/(lhc_web/.+\.(gif|jpe?g?|png|bmp|swf|css|js|svg|otf|eot|ttf|woff|woff2|swf|mp3|ogg|wasm|wav|pdf|ico|txt))$" above. Then CORS headers will be added to LHC static content only.
 
Hi @IgorG ,
thank you very much for this detailed reply.

I will be very happy if this post can help me to resolve the problem but is not.
I activated HTTP 2 than on the domain where the chat is under domain, Domains > livechat.domain.ext > Apache & nginx Settings.
on Additional nginx directives I added:

Code:
location ~* ^/internal-nginx-static-location/(.+\.(gif|jpe?g?|png|bmp|swf|css|js|svg|otf|eot|ttf|woff|woff2|swf|mp3|ogg|wasm|wav|pdf|ico|txt))$ {
    alias /var/www/vhosts/httpdocs/subdomains/livechat.domain.ext/livechat/$1;
    internal;
    add_header Access-Control-Allow-Origin '*';
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS, PUT, DELETE';
    add_header Access-Control-Allow-Headers 'Origin, X-Requested-With, Content-Type, Accept, API-Key, Authorization, X-Test';
}

but I still not see the live chat widget.

What I'm doing wrong please?

/internal-nginx-static-location/ should be changed or keep as string as is? I don't need insert nginx location right?

I hope in a little help more to resolve this issue. thanks.
I'm following what your post say, I believe, but still not working.
Any idea of why?
 
RESOLVED.
Taken from SSH the right patch that was not /var/www/vhosts/httpdocs/subdomains/livechat.domain.ext/livechat/

Thank you very much!
I'm really happy about this help!

Please say thank you also to developers.
 
Back
Top