I have a domain from GoDaddy, with AWS Route53 for managing DNS records. Route53 sends request to a load-balancer.
For webserver I have a load-balancer that routes requests to a single (for now) EC2 instance and the nginx in EC2 instance get the request and sends a response to the client.
The problem is that when I use
http:// to perform a request, AWS redirects requests to the
https:// version of the domain with
307 Internal Redirect response. The response object has
Non-Authoritative-Reason: HSTS header as well.
What’s the problem and which component is redirect requests?
It’s neither component.
This isn’t anything from AWS… it’s the browser. It’s an internal redirect the browser is generating, related to HSTS… HTTP Strict Transport Security.
If you aren’t doing it now, then presumably, in the past, you’ve generated a
Strict-Transport-Security: header in responses from this domain, and the browser has remembered this fact, preventing you from accessing the site insecurely, as it is intended to do.