Web Services HSTS正在端口80上使用远程地址从HTTP重定向到HTTPS

klr1opcd 于 2022-11-15 发布在其他

关注(0)|答案(1)|浏览(181)

我们遇到了一个奇怪的问题，有时浏览器会决定使用端口80进行HTTPS。
不工作时的流如下所示（从网络devtools复制）：

以端口80作为远程地址的流

第一次请求：

Request URL: http://app1.test/
    Request Method: GET
    Status Code: 307 Temporary Redirect
    Remote Address: :80

    Response headers
    Cross-Origin-Resource-Policy: Cross-Origin
    Location: https://app1.test/
    Non-Authoritative-Reason: HSTS

第二次请求

Request URL: https://app1.test/
Request Method: GET
Status Code: 302 Found
Remote Address: 192.168.xxx.xxx:80

Response headers

cache-control: no-store
content-length: 1535
content-security-policy: frame-ancestors 'none'
content-type: text/html
date: Fri, 01 Jul 2022 12:04:03 GMT
location: https://***/mga/sps/oidc/rp/***/kickoff/***?authLevel=2&autologon=true&TAM_OP=login
p3p: CP="NON CUR OTPi OUR NOR UNI"
pragma: no-cache
Set-Cookie: wap-***-session-cookie=***; Domain=***.int; Path=/; SameSite=None; Secure; HttpOnly
Set-Cookie: PD-S-SESSION-ID-wap-oidc-int=***:1_2_0_6gpve0u3mSK+***|; Domain=.***.int; Path=/; SameSite=None; Secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1

这会导致我们的负载平衡器出现问题，因为它会命中不同的端点。

工作油口443的流量

通常情况下，流程如下所示，没有任何问题：

Request URL: http://app1.test/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin

Response headers:

Cross-Origin-Resource-Policy: Cross-Origin
Location: https://app1.test/
Non-Authoritative-Reason: HSTS

第二个要求：

Request URL: https://app1.test/
Request Method: GET
Status Code: 302 Moved Temporarily
Remote Address: 192.168.xxx.xxx:443
Referrer Policy: strict-origin-when-cross-origin

Response headers:

cache-control: no-store
content-length: 1535
content-security-policy: frame-ancestors 'none'
content-type: text/html
date: Fri, 01 Jul 2022 13:19:21 GMT
location: https://***/mga/sps/oidc/rp/***/kickoff/***?authLevel=2&autologon=true&TAM_OP=login
p3p: CP="NON CUR OTPi OUR NOR UNI"
pragma: no-cache
Set-Cookie: wap-***-session-cookie=***; Domain=***.int; Path=/; SameSite=None; Secure; HttpOnly
Set-Cookie: PD-S-SESSION-ID-wap-oidc-int=***; Domain=.***.int; Path=/; SameSite=None; Secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1

有人知道为什么浏览器有时使用“远程地址：80”吗？

web-services

来源：https://stackoverflow.com/questions/72829982/hsts-is-redirecting-from-http-to-https-with-a-remote-address-on-port-80