0

I already posted here: https://stackoverflow.com/questions/41138169/website-does-not-open-in-firefox-no-error-opens-in-chrome-and-safari-though but I guess serverfault might actually be the better place to ask.

My problem: My website veare.de works fine over https in chrome and safari, however it does not work in firefox. I get an empty response body from the request. It does work over http though.

My setup:

I have an ubuntu 16.04 server running Docker with an Nginx 1.11.6 container as a proxy to my node server which returns static sites.

I have an ssl cert from let's encrypt.

My nginx config is the following

############################
#
# Redirect all www to non-www
#
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.veare.de;
    ssl_certificate /etc/letsencrypt/live/www.veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.veare.de/privkey.pem;
    return 301 https://veare.de$request_uri;
}
##########################
# HTTPS
server {
    server_name veare.de;
    ssl_certificate /etc/letsencrypt/live/veare.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/veare.de/privkey.pem;

    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

# access_log
    access_log            /var/log/nginx/access.log;
    # proxy_pass config
    location / {
        # include proxy presets
        include /etc/nginx/includes/proxy.conf;
        proxy_pass              http://lukasoppermann.com$uri;
    }

    ssl_dhparam /etc/letsencrypt/dhparam.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    #ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1$
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # set expire header for static files
    # include /etc/nginx/includes/expire_header.conf;
    # Default Content Security Policy
    include /etc/nginx/includes/csp.conf;

    root         /var/www/html;

}

Do you have any idea what it could be? Please let me know if you need more info. Thanks.

Community
  • 1
Lukas Oppermann
  • 143
  • 10
  • With Firefox it's often an intermediate certificate issue, use a couple of SSL diagnosis websites to work that out - Google "SSl Check", example https://www.ssllabs.com/ssltest/. Right now it forwards from https to http so I can't check it for you. – Tim Dec 19 '16 at 18:00
  • Hey @Tim, I don't think it redirects. I did try those before already, but it seems pretty fine: https://www.ssllabs.com/ssltest/analyze.html?d=veare.de – Lukas Oppermann Dec 19 '16 at 18:24
  • Must have typed it wrong. Firefox doesn't even seem to connect for me. Can you post an access log entry, and check the error log for the same time? – Tim Dec 19 '16 at 18:29
  • Hmm, there is nothing in the error log. From the access log: `84.191.2.205 - - [19/Dec/2016:18:36:26 +0000] "GET / HTTP/2.0" 200 45379 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0"` Does that help? When I visit with chrome I get all other requests as well (resources, etc.) – Lukas Oppermann Dec 19 '16 at 18:39
  • I wonder if it's a browser compatibility issue, since the page is returned ok. I used curl with the Firefox user agent and it worked fine, no certificate warnings. – Tim Dec 19 '16 at 19:06
  • I don't think that, otherwise other pages would be dead too. Don't you rather think I messed something up with the nginx config? – Lukas Oppermann Dec 19 '16 at 19:19
  • 2
    Try adding protocols and ciphers to see if that fixes things, or removing the lines and using the default. Then maybe try removing other things that restrict, such as HSTS, SSL caches, OCSP stapling etc. Strip it back to bare minimum. Process of elimination. – Tim Dec 19 '16 at 19:28
  • Well, stupid me. I tried with the version from the mozilla generator, but it failed. However, I did not try your approach. Removing basically everything works. I will update once I found the solution. – Lukas Oppermann Dec 19 '16 at 19:30

1 Answers1

1

Okay, thanks to @Tim I found it out. Firefox choked on my CSP header.

I actually had it set like this:

add_header Content-Security-Policy "
    default-src 'self';
    script-src 'self' www.google-analytics.com;
    img-src 'self' www.google-analytics.com data:;
    style-src 'self' 'unsafe-inline' fonts.googleapis.com;
    font-src 'self' fonts.gstatic.com;
    frame-src 'self';
    connect-src 'self' apis.google.com;
    object-src 'none';
    report-uri https://veare.report-uri.io/r/default/csp/enforce
";

Which apparently works in all browser but Firefox. Setting it like so fixed it:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com; img-src 'self' www.google-analytics.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; child-src 'self'; connect-src 'self' apis.google.com; object-src 'none'; report-uri https://veare.report-uri.io/r/default/csp/enforce";

Thanks again for the help.

Lukas Oppermann
  • 143
  • 10