How can a remote client request a page via http://127.0.0.1/?

In my ASP.Net application running on IIS, I have configured URL redirects from http to https so that all clients access my pages via https. Web.config looks like this:

<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
      <match url="^(.*)$" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
        <add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
        <add input="{HTTP_HOST}" matchType="Pattern" pattern="^127.0.0.1(:\d+)?$" negate="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>

So basically, any remote request not from the server are redirected to the https-equivalent URL.

Now the problem is that some remote clients seem to call pages locally. Example: http//:127.0.0.1/Default.aspx. I know this because I'm getting custom log entries from Default.aspx that look like this:

   Default.aspx.Page_Load: 
   Not secure: http://127.0.0.1/default.aspx --> 
   Secure: https://127.0.0.1/default.aspx 
   Client: 219.85.53.164

Translation: the client "219.85.53.164" called http://127.0.0.1/**default.aspx** and was manually redirected to https manually.

How did this remote client circumvent my HTTP rule and manage to call Default.aspx unsecured and (as it seems) locally???



Read more here: https://stackoverflow.com/questions/66025788/how-can-a-remote-client-request-a-page-via-http-127-0-0-1

Content Attribution

This content was originally published by Cleo at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: