Fixes T12079. Currently, when a file is encrypted and a request has "Content-Range", we apply the range first, then decrypt the result. This doesn't work since you can't start decrypting something from somewhere in the middle (at least, not with our cipher selection).
Instead: decrypt the result, then apply the range.