I have a fresh install of Windows Server 2012 R2 with IIS 8 installed and all fully patched. I have created a new web site with a single page called home.htm and the site has an HTTP binding on port 80 and a host header. When I try to browse to home.htm from on the server or from a Windows 10 client I get a 301 redirect to HTTPS which is not configured and so fails. Any suggestions greatly appreciated.
Asked
Active
Viewed 2,876 times
0
-
This can be done in web.config or in the html file, or some javascript code the html. File is loading. – Mr Zach Feb 24 '19 at 16:12
-
Thanks for the comment Mr Zach but I'm not sure you understand me. The problem is I have made no changes to the default, vanilla IIS 8 installation and all requests to any pages on any web application are being redirected with a 301 response. I DON'T want this to be happening, I just want the HTTP page that I have requested. – Matt Coffey Feb 24 '19 at 19:45
-
If there is nothing between your browser and webserver, this is what can cause the redirects. If you are using names or dns to resolve the ip, make sure its resolving the correct ip – Mr Zach Feb 25 '19 at 06:56
-
Thank you @MrZach for taking the time to consider my problem and your response led me to work out how to scrutinise the problem in more detail. I've created an answer to my own question for the benefit of anyone else like me who doesn't have what I'm sure most here would consider 101 knowledge. – Matt Coffey Mar 04 '19 at 11:52
1 Answers
1
Following the advice of @MrZach I did much more testing using different browsers from on the server and from client VMs running Windows 10. Using the Chrome F12 tools I was able to determine that what presented as a 301-redirect in MS Edge was in fact a 307-redirect with a Non-Authoritative-Reason header of hsts. This didn't make sense because I had not configured HSTS in IIS until I found Understanding HTTP Strict Transport Security (HSTS) and preloading it into the browser and read the line;
Chrome has refused to issue the first request over the insecure HTTP protocol
I then found there is an HSTS whitelist and then I found that the .dev top level domain forces HSTS. And guess what? As a developer, I'd configured the top level domain as ".dev" (and completely negated to mention that fact in my original question!)
I guess this proves 2 things; you don't know what you don't know and a little bit of knowledge is a dangerous thing (especially in the hands of a developer!)
Matt Coffey
- 11
- 1
- 2