OLS Version: 1.9.0
OS: Debian 12 (Kernel 6.1.164-1)
Problem:
PHP-set response headers (specifically CORS headers) are stripped
when the request arrives over QUIC/HTTP3. The same PHP code produces
correct headers over HTTP/2.
Evidence from OLS error log:
Both H2 and QUIC requests call the same PHP file (confirmed via STDERR):
HTTP/2: [H2-1#:lsapi] [STDERR] [log.php] called
QUIC: [-Q:EC9CFEBAB33ABEDD-0#:lsapi] [STDERR] [log.php] called
But only HTTP/2 responses include the PHP-set CORS headers.
Browser comparison:
- Microsoft Edge → uses HTTP/2 → CORS headers present → works ✓
- Google Chrome → uses QUIC → CORS headers missing → blocked ✗
This rules out a browser bug — both browsers receive different
headers from the same server for the same PHP code.
curl verification:
curl (HTTP/2): access-control-allow-origin present ✓
curl (HTTP/1.1): access-control-allow-origin present ✓
Workaround:
Disabled HTTP3 in vHost SSL settings (ALPN → HTTP/2 only).
OLS Version: 1.9.0
OS: Debian 12 (Kernel 6.1.164-1)
Problem:
PHP-set response headers (specifically CORS headers) are stripped
when the request arrives over QUIC/HTTP3. The same PHP code produces
correct headers over HTTP/2.
Evidence from OLS error log:
Both H2 and QUIC requests call the same PHP file (confirmed via STDERR):
HTTP/2: [H2-1#:lsapi] [STDERR] [log.php] called
QUIC: [-Q:EC9CFEBAB33ABEDD-0#:lsapi] [STDERR] [log.php] called
But only HTTP/2 responses include the PHP-set CORS headers.
Browser comparison:
This rules out a browser bug — both browsers receive different
headers from the same server for the same PHP code.
curl verification:
curl (HTTP/2): access-control-allow-origin present ✓
curl (HTTP/1.1): access-control-allow-origin present ✓
Workaround:
Disabled HTTP3 in vHost SSL settings (ALPN → HTTP/2 only).