``` $ wget gentoo.org --2023-04-30 05:29:46-- http://gentoo.org/ Resolving gentoo.org (gentoo.org)... 151.101.65.91, 151.101.129.91, 151.101.213.91, ... Connecting to gentoo.org (gentoo.org)|151.101.65.91|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.gentoo.org/ [following] URL transformed to HTTPS due to an HSTS policy --2023-04-30 05:29:46-- https://www.gentoo.org/ ``` What's more important, this causes Firefox to emit a "insecure site" warning even though it ends up serving the HTTPS website.
I think this might be misbehavior on the side of Fastly. $ curl -H "Host: gentoo.org" -I avocet.gentoo.org HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 30 Apr 2023 05:53:06 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Keep-Alive: timeout=20 Location: https://gentoo.org/ X-Clacks-Overhead: Terry Pratchett, Noirin Trouble Pluinceid, Dan Kaminsky Permissions-Policy: interest-cohort=() Referrer-Policy: strict-origin-when-cross-origin $ curl -H "Host: gentoo.org" -I gentoo.org HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 0 Server: Varnish Retry-After: 0 cache-control: max-age=86400 Location: http://www.gentoo.org/ Accept-Ranges: bytes Date: Sun, 30 Apr 2023 05:53:39 GMT Via: 1.1 varnish X-Served-By: cache-bfi-krnt7300116-BFI X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1682834020.720393,VS0,VE1 Strict-Transport-Security: max-age=300 Different "Location:" headers depending on whether I request from the origin or the CDN.
fastly rules tweaked # curl -H 'Host: gentoo.org' -v avocet.gentoo.org * Trying [2001:41c8:0:936:224:1dff:fe83:8bb]:80... * Connected to avocet.gentoo.org (2001:41c8:0:936:224:1dff:fe83:8bb) port 80 (#0) > GET / HTTP/1.1 > Host: gentoo.org > User-Agent: curl/8.0.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Sun, 30 Apr 2023 06:16:59 GMT < Content-Type: text/html < Content-Length: 162 < Connection: keep-alive < Keep-Alive: timeout=20 < Location: https://gentoo.org/ < X-Clacks-Overhead: Terry Pratchett, Noirin Trouble Pluinceid, Dan Kaminsky < Permissions-Policy: interest-cohort=() < Referrer-Policy: strict-origin-when-cross-origin < <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host avocet.gentoo.org left intact # curl -H 'Host: gentoo.org' -v gentoo.org * Trying [2a04:4e42::347]:80... * Connected to gentoo.org (2a04:4e42::347) port 80 (#0) > GET / HTTP/1.1 > Host: gentoo.org > User-Agent: curl/8.0.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Connection: close < Content-Length: 0 < Server: Varnish < Retry-After: 0 < Location: https://gentoo.org/ < Accept-Ranges: bytes < Date: Sun, 30 Apr 2023 06:16:54 GMT < Via: 1.1 varnish < X-Served-By: cache-yyc1430025-YYC < X-Cache: HIT < X-Cache-Hits: 0 < X-Timer: S1682835414.069477,VS0,VE0 < Strict-Transport-Security: max-age=300 < alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400 < * Closing connection 0