Solved HTTP/2 (duckduckgo.com) fails to work

PMc

PMc

I just perceived a strange networking error: duckduckgo.com does not load.
The error is on the CSS stylesheet https://duckduckgo.com/s.3a31b4d3f83e98eb7e10.css:

"Blocked by DevTools" NS_ERROR_NET_PARTIAL_TRANSFER Transferred16,99 kB (57,63 kB size)

It always transfers 16.99 kB, and it is always this file. The file loads fine with fetch or in a separate page, it is ~180kB size.

This problem did appear recently, and the difficulty is that lots of things were changed.
  • 13.2 p4 was installed (shoudn't matter, it doesn't look like there is anything in that would concern me)
  • 2023Q4 ports were upgraded (including firefox)
  • I did a cleanup on all the profile/bashrc/cshrc files, on that occasion I decided to change some DISPLAY=:0.0 to DISPLAY=hostname:0.0 for manageability. This is NOT a good idea, because it makes the display traffic run through the TCP stack instead of a unix socket, and then one might see traffic like 400 MB/s appearing on lo0 for a simple webpage load (and all that may then run through at least the first rules of the firewall). But nevertheless it should work, so I left it in for now.
  • In fact it didn't work. Because, in 13.2 one might see this message:
    WARNING: Adding ifaddrs to all fibs has been turned off by default. Consider tuning net.add_addr_allfibs if needed
    That means, when you configure an iface to an address with ifconfig, a route is added for the local ip - that looks like that:
    Code: 
    192.168.1.1        link#3             UHS         lo0
    This is no longer done for additional fibs, and you have to do it yourself. And I hadn't done it for all the local ip's, so the traffic was instead sent to nexthop, and there blocked as bogus by the firewall. So I fixed that.
  • My telco has -for the second time already- done an unsolicited change in switching my uplink from ADSL to VDSL. Sunday midnight suddenly my LAN fell apart. It is all DNSSEC/DANE and chained to the root servers, so it must fall apart when the uplink is gone. The support line told me no more than that there is a change ongoing and they can't tell what it is about, I should call customer service on monday. But this time I was prepared and had another modem on the shelf that can do VDSL, and happily got online again. (Curious what happens next, VDSL is more expensive, and I didn't order that change.)
It is not even possible to revert all the nodifications. So I looked into debugging the issue, and the first thing that caught my attention is the request showing version HTTP/2. I have not yet enabled HTTP/2 to be served on my own servers, this is something I still have to look into and fully understand. So for now I switched it off in firefox, and, voila, problem solved.

So, what can make HTTP/2 to not properly load CSS (while it loads JS and PNG and other stuff of bigger size)?
 
"signature":"SURICATA STREAM Packet with invalid timestamp"
"category":"Generic Protocol Command Decode"
"severity":3
"action":"allowed"
"event_type":"drop"
"reason":"applayer error"

Oct 18 03:32:03 <user.notice> pkg[72854]: suricata upgraded: 6.0.13 -> 7.0.0
zeroes at the end of the version is never a good idea.

forum.suricata.io

Suricata 7 drops my flows - reason: applayer error

I have read this already: My traffic gets blocked after upgrading to Suricata 7 But it doesn’t help: “error-policy: ignore” is set, nevertheless suricata drops my flows with reason “applayer error” The applayer error is: [1:2210044:2] SURICATA STREAM Packet with invalid timestamp This is a...
forum.suricata.io forum.suricata.io
 
You must log in or register to reply here.
Back
Top