Why Users are Accessing my Sites through HTTPS on Port 80 instead of 443 ?

Mohammed Abed 145 Reputation points
2023-10-18T07:16:09.7133333+00:00

Hi,

I have a web hosting server using IIS 10 with SSL installed. When I host any site there with both HTTPS and HTTP bindings things work fine inside when I access any site using my VPN, but they don't for public users.

When I tried to refer to some logs, I found that any public access is externally is done on HTTPS but through port 80. In addition to being a security concern, this is causing some issues when accessing my sites. Also, this issue is being faced on any IIS site not specific ones while I have validated my SSL and ensured it is fine and it works fine locally or through my VPN.

The thing is, accessing HTTP through port 80 results in several stability issues that I struggle from. For instance, I receive a 403 response, or even 401 while the credentials are corrected then try several login attempts and it works. Generally, it is negatively impacting my stability.

I don't know if it can be solved through a Rewrite Rule, but I have tried some and that did not work (URL is HTTPS but port is 80). Here is a sample of logs:

2023-09-27 06:06:51 {ip} POST /_apis/customerintelligence/Events - 80 {ip} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/117.0.0.0+Safari/537.36+Edg/117.0.2045.31 https://{url} 204 0 0 22
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,505 questions
Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,284 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sam Wu-MSFT 7,046 Reputation points Microsoft Vendor
    2023-10-18T10:12:52.23+00:00

    @Mohammed Abed

    Port 80 and 443 refer only to the server port in use (i.e. it is "just a number") and carries no significance at all with regards to security.

    What really differentiates them is http and https, http and https refer to the protocol in use.

    http is used for unencrypted cleartext communication, which means transferred data may be intercepted and read in plain by a human. Username/password fields may for instance be captured and read.

    https refers to SSL/TLS encrypted communication. It must be decrypted to be read. Normally/ideally only the endpoints are capable of encrypting/decrypting the data, although this is a statement with caveats.

    Therefore https may be considered more secure than http.

    The default port for https connections is 443, so browsers will connect on that default port if your url has a https protocol and no port number specified. the default port for http connections is 80.

    You can modify the https port through url rewrite or directly in Site bindings, but I don’t recommend this because it can easily cause problems.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.