In my ASP.Net application running on IIS, I have configured URL redirects from http to https so that all clients access my pages via https. Web.config looks like this:
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="^(.*)$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^127.0.0.1(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
So basically, any remote request not from the server are redirected to the https-equivalent URL.
Now the problem is that some remote clients seem to call pages locally. Example: http//:127.0.0.1/Default.aspx. I know this because I'm getting custom log entries from Default.aspx that look like this:
Default.aspx.Page_Load:
Not secure: http://127.0.0.1/default.aspx -->
Secure: https://127.0.0.1/default.aspx
Client: 219.85.53.164
Translation: the client "219.85.53.164" called http://127.0.0.1/**default.aspx** and was manually redirected to https manually.
How did this remote client circumvent my HTTP rule and manage to call Default.aspx unsecured and (as it seems) locally???
Read more here: https://stackoverflow.com/questions/66025788/how-can-a-remote-client-request-a-page-via-http-127-0-0-1
Content Attribution
This content was originally published by Cleo at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.