IIS7.5: HTTPS->HTTP 302 redirect

Question

I have an asp.net website running on IIS7 configured long ago. There appears to be a 302 redirection in place redirecting all requests over HTTPS to HTTP instead. I would like to remove this redirect so we can serve the site over HTTPS.

Specifically, when testing with curl, requesting any page "https://WebSite.com/SomeThing" redirects to "http://website.com/something" (insecure, case not maintained). The only request that is not redirected to HTTP is the bare domain, which goes to Default.aspx before redirecting to HTTP. Some examples:

https://www.website.com -302-> Default.aspx
https://www.website.com/Default.aspx -302-> http://www.website.com/default.aspx
https://website.com/Default.aspx -302-> http://website.com/default.aspx
https://website.com/ABOUTUS.aspx -302-> http://website.com/aboutus.aspx

I can't figure out where this redirect is configured. In IIS Manager, I've checked the "HTTP Redirect" module (not enabled), the "URL Rewrite" module (not installed), and the SSL Settings ("Require SSL" is NOT set). I've searched the contents of all *.aspx files in the web root for "redirect" or "rewrite", and not found anything. Ditto for web.config.

Where else could this redirect be hiding? Host is Windows Server 2008 R2 running within an Azure VM.

Answer 1

One more thing to check is ISAPI Filters on server and site level.

You should see the ASP.Net filter.dlls there, but there may be additional entries.

Some people use a mod-rewrite DLL which is a port of the Apache mod-rewrite module. There may be an ini file in the same directory as the DLL.

Otherwise I would look carefully at:

C:\WINDOWS\system32\inetsrv\config\ApplicationHost.config

look for anything that seems suspicious or may relate to your problem.

Answer 2

The comment from Lex Li got me moving in the right direction.

In addition to the ASP.net code, there was also C# code which was not in the webroot. MasterPage.master.cs had the redirect.