Apache 2.4 requests to non-SSL site with "Upgrade-Insecure-Requests: 1" and no trailing / get redirected to default site

owendelong · 06-19-2021, 08:16 AM

Consider a web server with multiple virtual hosts (address based).
http://www.example.com/location/ is a fully formed URL and works.
http://www.example.com/location is missing the trailing /, so the web server produces a redirect to add it.
Finally, the default web site is http://www.othername.com and has both HTTP and HTTPs services with a proper certificate.

Without the "Upgrade-Insecure-Requests: 1" header, this works as expected.

However, add the aforementioned header and now the rewrite comes back as "https://www.othername.com/location/" instead of the expected (and desired) "http://www.example.com/location/".

It's not acceptable for "https://www.example.com/location/" because the www.example.com site is SSLEngine Off and has no port 443 listener configured, no certificate configured, etc.

However, it's also not acceptable to rewrite the domain name entirely, since the default site has a completely different document root and so the rewrite creates a 404 error.

I'm hoping someone can explain how to coerce Apache into doing what is expected here.

Thanks in advance,

Owen

smallpond · 06-22-2021, 01:41 PM

Can you post conf and htaccess for www.example.com?

scasey · 06-22-2021, 02:08 PM

If Upgrade-Insecure-Requests for example.com is on, and example.com is not listening on port 443, I would expect the server to drop back to the default domain.

But…I don’t find Upgrade-Insecure-Requests anywhere in the Apache documentation. Where, exactly, are you adding that “header”?