| Solution |
The Strict-Web-Check inspects and blocks HTTP headers that do not conform to HTTP 1.1. After upgrading FortiProxy from 2.0.to 7.0, If the website HTTP header uses HTTP/2 with multi-cookies, the website content will fail to load with the browser error:
ERR_CONNECTION_CLOSED
This is confirmed via WAD debug:
service=mail&passive=1209600&osid=1&continue=https://mail.google.com/mail/u/0/&followup=https://mail.google.com/mail/u/0/&emr=1 enc_len=101,huf=1
fmt:idxIDX name idx=24, cache-control:max-age=0 enc_len=7,huf=1
fmt:nmIDX enc_len=7,huf=1,name =sec-ch-ua:"Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24" enc_len=56,huf=1
....
....
fmt:idxIDX name idx=16, accept-encoding:gzip, deflate, br, zstd enc_len=18,huf=1
fmt:idxIDX name idx=17, accept-language:ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 enc_len=28,huf=1
fmt:idxIDX name idx=32, cookie:__Host-GAPS=1:_rJTdnX841J0Gl7BpwUHNHOj6rewwg:8bJ7ATOPe8xrrEhY enc_len=49,huf=1
fmt:idxIDX name idx=32, cookie:OTZ=7614931_20_20__20_ enc_len=16,huf=1
[I][p:5600][s:983239502][r:201327373] wad_h2_msg_hdr_fld_learn :236 failed with err=mal-header. <--
[E][p:5600][s:983239502][r:201327373] wad_h2_parse_hdrs :770 conn=0x7f6e159946a0, hearder parsing error
[V][p:5600][s:983239502][r:201327373] wad_h2_strm_task_end :382 h2_strm(0x7f6e170004f0) is closing.
The workaround is to set the SSL deep inspection profile to use HTTP/1.1:
config firewall ssl-ssh-profile
edit "custom2"
config https
set ports 443
set status deep-inspection
end
.....
.....
config dot
set status disable
end
set supported-alpn http1-1 <--
next
end
|
