Hi all,
here’s a complicated one. I wonder if anyone has any ideas.
Try retrieving this gif: https://cms-staging.pinkpigeon.co.uk/static/img/Spinning3DPigeon_2.gif in Firefox 110.
That’s a publicly available static asset, behind Cloudflare as proxy. The underlying platform is Dokku (which serves files up via NGINX). SSL is handled via Cloudflare.
I can sometimes get the asset to load on the first attempt. When refreshing (standard refresh in Firefox, via F5), eventually you’ll get ‘Secure Connection Failed’. This is the extended information:
In the network tab the request shows no data transferred, no status code, no response, no protocol and no errors:
What you’ll notice at the top in that image, is a 304 status, which is what happens when I do a cache-less refresh (CRTL+SHIFT+R).
I have checked my NGINX logs, which show no requests at all when there is a security failure. There are also no NGINX errors in the error log.
All static assets are served with cache-control: public, max-age=0, must-revalidate and a weak ETag which changes with every deploy.
Cloudflare is set to NOT do https rewrites, HSTS is enabled (and has been for three years), browser TTL is set to respect origin headers.
Here are a few interesting things I noticed:
1. Firefox insists HSTS is disabled. Whether the asset transfers correctly or not, in fact
HSTS is enabled in Cloudflare and in Dokku / NGINX…
2. Switching the site into developer mode rectifies the issue immediately and for as long as developer mode is on
3. Setting a page rule to bypass cache makes no difference. Setting a cache rule to bypass cache also makes no difference…just for reference, I did it like this, assuming this should skip all caching, but seemingly that’s not the case?
4. It would appear that the first transfer of static assets with a cache-less refresh (CTRL+SHIFT+R) is using HTTP/2 and subsequent transfers are HTTP/3. Assets then transfer fine on each F5-refresh, until navigating away. After coming back, transfers fail again.
I wanted to make sure there were no SSL configuration issues, so did an SSL check here, which always succeeds: SSL Checker
The same problem occurs on Firefox mobile. Chrome / Safari are fine and never seem to encounter this problem.
Anyone have any ideas / feel like helping me investigate this issue?