Nginx – Website response from Nginx empty over TLS in firefox, but fine over http and in other browsers

firefoxlets-encryptnginxnode.jsssl-certificate

I already posted here: https://stackoverflow.com/questions/41138169/website-does-not-open-in-firefox-no-error-opens-in-chrome-and-safari-though but I guess serverfault might actually be the better place to ask.

My problem:
My website veare.de works fine over https in chrome and safari, however it does not work in firefox. I get an empty response body from the request.
It does work over http though.

My setup:

I have an ubuntu 16.04 server running Docker with an Nginx 1.11.6 container as a proxy to my node server which returns static sites.

I have an ssl cert from let's encrypt.

My nginx config is the following

############################
#
# Redirect all www to non-www
#
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.veare.de;
    ssl_certificate /etc/letsencrypt/live/www.veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.veare.de/privkey.pem;
    return 301 https://veare.de$request_uri;
}
##########################
# HTTPS
server {
    server_name veare.de;
    ssl_certificate /etc/letsencrypt/live/veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/veare.de/privkey.pem;

    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

# access_log
    access_log            /var/log/nginx/access.log;
    # proxy_pass config
    location / {
        # include proxy presets
        include /etc/nginx/includes/proxy.conf;
        proxy_pass              http://lukasoppermann.com$uri;
    }

    ssl_dhparam /etc/letsencrypt/dhparam.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    #ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1$
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # set expire header for static files
    # include /etc/nginx/includes/expire_header.conf;
    # Default Content Security Policy
    include /etc/nginx/includes/csp.conf;

    root         /var/www/html;

}

Do you have any idea what it could be? Please let me know if you need more info. Thanks.

Best Answer

Okay, thanks to @Tim I found it out. Firefox choked on my CSP header.

I actually had it set like this:

add_header Content-Security-Policy "
    default-src 'self';
    script-src 'self' www.google-analytics.com;
    img-src 'self' www.google-analytics.com data:;
    style-src 'self' 'unsafe-inline' fonts.googleapis.com;
    font-src 'self' fonts.gstatic.com;
    frame-src 'self';
    connect-src 'self' apis.google.com;
    object-src 'none';
    report-uri https://veare.report-uri.io/r/default/csp/enforce
";

Which apparently works in all browser but Firefox. Setting it like so fixed it:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com; img-src 'self' www.google-analytics.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; child-src 'self'; connect-src 'self' apis.google.com; object-src 'none'; report-uri https://veare.report-uri.io/r/default/csp/enforce";

Thanks again for the help.

Related Solutions

Nginx has ssl module, but thinks it doesn’t

You are missing the SSL on directive.

http://wiki.nginx.org/HttpSslModule

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

Nginx has ssl module, but thinks it doesn’t

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic