Eu tenho o nginx como proxy na frente do meu aplicativo para encerrar o TLS. Eu tenho que definir para ouvir a porta 80 e redirecionar para 443.
Originalmente, o Chromium faria download de um arquivo chamado "download" em vez de redirecionar, mas, por algum motivo, ele não está mais fazendo isso (tentei o que foi sugerido em esta pergunta mas não ajudou). Enquanto o Chromium redireciona corretamente, embora o problema ainda exista, o Firefox ainda reage a isso, presumindo que seja um download de arquivo:
Oproblemaémaisvisívelcomocurl:
curl-vhttp://example.com*RebuiltURLto:http://example.com/*Trying54.213.157.146...*Connectedtoexample.com(54.213.157.146)port80(#0)>GET/HTTP/1.1>Host:example.com>User-Agent:curl/7.50.0>Accept:*/*>*Connection#0tohostexample.comleftintact����
Emvezderetornaroscabeçalhos/status/etcusuais.pareceestarenviandodevoltadadosbinários.Enquantoisso,aversãohttpsparecefuncionarcorretamente:
curl-vhttps://example.com*RebuiltURLto:https://example.com/*Trying54.213.157.146...*Connectedtoexample.com(54.213.157.146)port443(#0)*ALPN,offeringhttp/1.1*Cipherselection:ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH*successfullysetcertificateverifylocations:*CAfile:/etc/ssl/certs/ca-certificates.crtCApath:none*TLSv1.2(OUT),TLSheader,CertificateStatus(22):*TLSv1.2(OUT),TLShandshake,Clienthello(1):*TLSv1.2(IN),TLShandshake,Serverhello(2):*TLSv1.2(IN),TLShandshake,Certificate(11):*TLSv1.2(IN),TLShandshake,Serverkeyexchange(12):*TLSv1.2(IN),TLShandshake,Serverfinished(14):*TLSv1.2(OUT),TLShandshake,Clientkeyexchange(16):*TLSv1.2(OUT),TLSchangecipher,Clienthello(1):*TLSv1.2(OUT),TLShandshake,Finished(20):*TLSv1.2(IN),TLSchangecipher,Clienthello(1):*TLSv1.2(IN),TLShandshake,Finished(20):*SSLconnectionusingTLSv1.2/ECDHE-RSA-AES128-GCM-SHA256*ALPN,serveracceptedtousehttp/1.1*Servercertificate:*subject:CN=example.com*startdate:Jul2918:50:002016GMT*expiredate:Oct2718:50:002016GMT*subjectAltName:host"example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.50.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.11.1
< Date: Fri, 29 Jul 2016 22:53:33 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 1121
< Connection: keep-alive
< X-Powered-By: Express
< ETag: W/"461-VBuWbiWQQ/3ptwQjG8pM3w"
< Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
<
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
...
É evidente que o meu nginx está mal configurado, mas não está claro para mim como.
Meu nginx.conf:
user nginx;
worker_processes 2;
events {
worker_connections 8096;
multi_accept on;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
proxy_cache_path /var/cache/nginx keys_zone=anonymous:10m;
proxy_temp_path /var/tmp/nginx;
sendfile on;
client_max_body_size 20M;
tcp_nodelay off;
tcp_nopush on;
keepalive_timeout 65;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#Include the vhost files.
include vhosts/*.conf;
}
E o arquivo vhosts:
server {
listen 80 http2;
server_name ${DOMAIN};
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name ${DOMAIN};
ssl_certificate /etc/letsencrypt/live/${PATH}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${PATH}/privkey.pem;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
root /etc/letsencrypt/webrootauth;
location / {
proxy_pass http://${UPSTREAM};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cache anonymous;
proxy_cache_valid 200 301 302 30m;
expires 30m;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
location ~* \.(html|css|jpg|gif|ico|js)$ {
proxy_cache cache;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 200 301 302 30m;
expires 30m;
proxy_pass http://backend;
}
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}
}
Alguém vê o que poderia estar causando isso?