IIS10 on 2019 server running fastcgi app. HTTP/2 does not work. Returns 0 bytes

andyp 1 Reputation point
2021-08-15T16:35:35.037+00:00

Config:

Running a python (3.9) django (3.2) app on IIS10 Windows server 2019 fully patched.
Using a Let's encrypt wildcard cert with TLS 1.2 as minimum cypher.
ISAPI and .NET are not loaded.
Server is an Azure windows VM with port 443 open. The SSL cert is loaded and working fine and https using Chome is working.
Have run IIScrypto and use best practices with the only change being TLS 1.0 and TLS 1.1 disabled.
StaticContent is enabled.
Both static and dynamic compression are disabled. (However enabling them did not solve the problem).
Application Pool set to 'No managed code' and pipeline 'integrated'

Problem:

Everything works fine until I try to enable HTTP/2 by unchecking 'Disable HTTP/2 in the port 443 bindings. Port 80 (http) is disabled.

Logging:

Fields: date time cs-method cs-uri-stem cs-uri-query s-port c-ip cs-version cs(Referer) cs-host sc-status sc-substatus sc-bytes cs-bytes time-taken

With HTTP/2 enabled:

2021-08-15 16:12:58 GET /favicon.ico - 443 172.70.114.30 HTTP/2 https://xxxx/add.png?1629043803015 public.xxxx.com 200 0 0 906 2

Without HTTP/2 enabled:

2021-08-15 16:13:32 GET /favicon.ico - 443 172.70.114.30 HTTP/1.1 https://xxxx/add.png?1629043803015 public.xxxx.com 200 0 680 941 164

Both return a 200 status, however the HTTP/2 returns 0 bytes and the HTTP/1.1 returns the correct 680 bytes.
No settings or code was changed between the two runs except the 'Disable HTTP/2' setting.
No error logged in Event Logs

Questions:

Do I need ISAPI or .NET to get HTTP/2 to work correctly?
Is there another setting I am missing?

Thanks for any help.

Internet Information Services
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bruce Zhang-MSFT 3,741 Reputation points
    2021-08-16T02:53:34.3+00:00

    Hi @andyp ,

    Did all other requests return 0 bytes like favicon.ico request?

    It more like the cause described in this docs. When compression is enabled on a server running IIS, and an HyperText Transfer Protocol (HTTP) request is served from the IIS compression directory, a 0-byte file may be returned instead of the expected file. You may only see these symptoms if HTTP Static Compression is enabled.

    In these situations, http/2.0 is not supported on IIS. Windows will fall back to HTTP/1.1 and continue the transaction.

    • Windows authentication (NTLM/Kerberos/Negotiate) is not supported with HTTP/2. In this case IIS will fall back to HTTP/1.1.
    • Clear textas mentioned above, IIS currently only supports HTTP/2 over TLS. Again, IIS will fall back to HTTP/1.1.
    • Bandwidth throttling - IIS has a feature to limit bandwidth (in Inetmgr, select the site, 'Limits' under Configure of the Action pane). This applies to HTTP/1.1 but is not enforced for HTTP/2 (will proceed with no errors or bandwidth limiting).

    According to the docs about ISAPI and http/2, there's nothing need to set about http/2. If you use ISAPI to get http/2, the library was written a long time ago, and was writing the headers and body using the WriteClient method. You need to refactor the code to use the ServerSupportFunction with the HSE_REQ_VECTOR_SEND request function to write headers and body.

    Please enable failed request tracing to check the process of response.


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    1 person found this answer helpful.
    0 comments No comments

  2. andyp 1 Reputation point
    2021-08-16T03:38:24.283+00:00

    Thanks for the reply.

    Static Compression is disabled.
    Dynamic Compression is disabled.

    Static files return status code 200 and 0 bytes.

    html documents return error 500 and 0 bytes. However, the application does not show any errors or exceptions.

    ISAPI is not installed. Not using windows authentication or clear text. Only using TLS 1.2

    Failed trace: First occurrence of errors:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
    <EventID>0</EventID>
    <Version>1</Version>
    <Level>3</Level>
    <Opcode>16</Opcode>
    <Keywords>0x100</Keywords>
    </System>
    <EventData>
    <Data Name="ContextId">{800000F8-0001-FA00-B63F-84710C7967BB}</Data>
    <Data Name="ModuleName">FastCgiModule</Data>
    <Data Name="Notification">128</Data>
    <Data Name="HttpStatus">500</Data>
    <Data Name="HttpReason">Internal Server Error</Data>
    <Data Name="HttpSubStatus">0</Data>
    <Data Name="ErrorCode">2147942464</Data>
    <Data Name="ConfigExceptionInfo"></Data>
    </EventData>
    <RenderingInfo Culture="en-US">
    <Opcode>MODULE_SET_RESPONSE_ERROR_STATUS</Opcode>
    <Keywords>
    <Keyword>RequestNotifications</Keyword>
    </Keywords>
    <freb:Description Data="Notification">EXECUTE_REQUEST_HANDLER</freb:Description>
    <freb:Description Data="ErrorCode">The specified network name is no longer available.
    (0x80070040)
    </Event>