err_http2_protocol_error on node production preview since RC 12

[pinchtools]

Environment

app # npx nuxi info
Nuxi 3.0.0-rc.12
RootDir: /app
Nuxt project info:

---

• Operating System: Linux
• Node Version: v16.18.0
• Nuxt Version: 3.0.0-rc.12
• Nitro Version: 0.6.0
• Package Manager: npm@8.19.2
• Builder: vite
• User Config: modules, buildModules, runtimeConfig, image, nitro
• Runtime Modules: @nuxt/image-edge@1.0.0-27768165.4b0219a
• Build Modules: @pinia/nuxt@0.4.3

---

Reproduction

I've got the problem on kubernetes in production environnement using https.
I'm using the default node-server and run 'nuxi preview' to start the server.
No errors logs are displayed running the server.
Please also note that I try to set NITRO_HOST to '0.0.0.0' without success.
Despite logging
Listening http://[0.0.0.0]:3000
Instead of
Listening http://[::]:3000

Describe the bug

Chrome show me a ERR_HTTP2_PROTOCOL_ERROR error.

It's more verbose with Curl.
I've changed the domain name for the exemple

curl -vvv -I https://try.nuxt.com --http2

*   Trying 66.77.888.99:443...
* TCP_NODELAY set
* Connected to try.nuxt.com (66.77.888.99) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=try.nuxt.com
*  start date: Sep  4 18:02:33 2022 GMT
*  expire date: Dec  3 18:02:32 2022 GMT
*  subjectAltName: host "try.nuxt.com" matched cert's "*.try.nuxt.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562fec3c12f0)
> HEAD / HTTP/2
> Host: try.nuxt.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host try.nuxt.com left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

And using the RC 11

*   Trying 66.77.888.99:443...
* TCP_NODELAY set
* Connected to try.nuxt.com (66.77.888.99) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=try.nuxt.com
*  start date: Sep  4 18:02:33 2022 GMT
*  expire date: Dec  3 18:02:32 2022 GMT
*  subjectAltName: host "try.nuxt.com" matched cert's "*.try.nuxt.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5592cdf452f0)
> HEAD / HTTP/2
> Host: try.nuxt.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 301 
HTTP/2 301 
< date: Fri, 21 Oct 2022 13:33:58 GMT
date: Fri, 21 Oct 2022 13:33:58 GMT
< content-type: text/html;charset=UTF-8
content-type: text/html;charset=UTF-8
< location: /en-us
location: /en-us
< x-powered-by: Nuxt
x-powered-by: Nuxt
< server-timing: -;dur=0;desc="Generate"
server-timing: -;dur=0;desc="Generate"
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains

< 
* Connection #0 to host try.nuxt.com left intact

Additional context

No response

Logs

No response

[danielroe]

Would you try setting experimental.writeEarlyHints to false?

[jgupta]

@pinchtools Does your production server uses Nginx? It looks like #15189

[pinchtools]

Yes @jgupta the ingress (in front of my pods on k8s) use a nginx server who's balancing the traffic on pods. And those pods only have the node server listening

[pinchtools]

experimental.writeEarlyHints to false works @danielroe thanks a lot.
I'm not sure to understand why, do you have an explanation?

[danielroe]

let's track in #15189.