1

I'm currently running a mix of different services under different subdomains:

a.example.com: Docker container behind nginx proxy

b.example.com: nginx site

c.example.com: Docker container behind nginx proxy

a and c share the same ipv4, b has it's own ipv4, while a, b and c all use different ipv6 addresses. All of them are SSL secured, non ssl traffic redirected by nginx (via 301) to the ssl secured site.

All of them are secured via HSTS (optional "includeSubdomains" is not set).

Now, to my problem

  1. Open https://a.example.com via firefox -> works
  2. Open https://b.example.com via firefox -> works
  3. Open https://a.example.com via firefox -> doesn't work, it show b.example.com instead. Seems that firefox somehow caches b.example.com. If I press shift+reload, firefox loads the correct a.example.com site.

This is a firefox specific problem. The above works flawlessly with Chrome, Vivaldi, MS Edge (Chromium based). It even works fine with wget. I have no clue what causes firefox to grab the wrong site out of it's storage.

Any help is kindly appreciated.

MK99
  • 11
  • 2
  • Have you logged the output of the developer console in each browser and looked at request URL's vs target URL location? Are the browsers all requesting the same resource and following the same responses the same way? That should provide more hints as to what is occurring. I would also compare the console logs to the nginx access logs. – Aaron Feb 19 '21 at 15:48
  • 1
    Thanks, Aaron. That helped me to track down that it's an ipv6 related problem. It does not occur when using ipv4. I investigate further, thanks for the hint... – MK99 Feb 19 '21 at 16:45
  • Cool, glad you figured it out. – Aaron Feb 19 '21 at 16:53

1 Answers1

0

In case anyone experiences the same issue: It's a firefox bug, more details here: https://matthias.wuerfl.com/firefox-http2-ipv6-pitfall/

Summary:

Conditions

  • two (or more) subdomains (same domain)
  • …share a common wildcard ssl certificate
  • on the same host (same IPv4-address)
  • but with different IPv6-addresses
  • client: Firefox (only Firefox has this behavior)
  • use HTTP/2
  • use IPv6

Expected behavior:

  • foo.example.com in location bar shows foo.example.com
  • bar.example.com in location bar shows bar.example.com

Seen behavior

Requests for the second host (bar) go to the first host (foo).

Explanation

With HTTP/2 Firefox shares connections to webservers („pooling“) to speed up page loading by omitting handshake and tcp slow start. Firefox determines which connections can be pooled together not by looking at the hostname, but by looking at the IPv4-address and the certificate. If the IPv4 address of the second host (bar) matches the IPv4-address of the first host (foo) AND the certificate used for foo also matches bar then the connection to foo is reused for bar.

Problem

The webserver may not be configured to show the contents of bar when someone connects to the IPv6-Adress of foo. Webserver administrators who were happy about the fact that with IPv6 there’s no need for SNI and name based virtual hosting anymore (like me) may have configured their webservers in the false assumption that if an IPv6 address is published for hostname foo incoming connections to that host will go to that IP address.

The behavior of Firefox is highly unexpected – or simply wrong.

MK99
  • 11
  • 2
  • More background: https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/ and also here: https://www.bbc.co.uk/blogs/internet/entries/9c036dbd-4443-43c6-b8f7-64e5b518fc92 – Barry Pollard Feb 22 '21 at 19:41
  • 1
    Thanks, Barry, I wished I had found that earlier. Great explanation and you can surely discuss if the Firefox behaviour is a bug or just agressive coalescing. Anyway, really helpful links. – MK99 Feb 23 '21 at 08:00