[GW] Respond 502 Bad Gateway when receiving HTTP_1_1_REQUIRED (#17423)

Co-authored-by: Max Phillips <[email protected]>

Author: kyouheicf

src/content/docs/cloudflare-one/faq/troubleshooting.mdx

@@ -174,3 +174,9 @@ To enable software rasterization:
 By default, the WARP client blocks outgoing SMTP traffic on port `25` to prevent users from abusing our service to send spam. Modern email service providers use port `587` or `465` to encrypt emails over a TLS/SSL connection. For more information, refer to [What SMTP port should be used?](https://www.cloudflare.com/learning/email-security/smtp-port-25-587/).
 
 If you need to unblock port `25`, contact your account team.
+
+## I see `502 Bad Gateway` when browsing to a website.
+
+This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as [Microsoft Internet Information Services (IIS)](https://learn.microsoft.com/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported) do not support authentication over HTTP/2. When errors occur, the website may send back a `RST_STREAM` frame with the error code `HTTP_1_1_REQUIRED`, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream `RST_STREAM` frames to a pseudo socket close, so this appears as a `502 Bad Gateway` exception page. The browser will not indicate why it failed.
+
+Gateway does not support this downgrade mechanism. When receiving the `HTTP_1_1_REQUIRED` error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin.