← Back to context

Comment by shakna

2 months ago

The loop most definitely exists. It's rather odd you're not seeing it. Everything I can use to talk to the server gets the 301/302 redirects.

Using yet another machine and curl:

    curl -vvv --insecure https://spacejam.com
     < HTTP/2 301 
     < date: Fri, 16 May 2025 10:45:08 GMT
     < content-type: text/html; charset=iso-8859-1
     < content-length: 233
     < location: https://www.spacejam.com/
     < server: nginx
     < cache-control: max-age=600
     < expires: Fri, 16 May 2025 10:51:34 GMT
     < 
     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
     <html><head>
     <title>301 Moved Permanently</title>
     </head><body>
     <h1>Moved Permanently</h1>
     <p>The document has moved <a href="https://www.spacejam.com/">here</a>.</p>
     </body></html>
     ...
     \* Connection #0 to host www.spacejamanewlegacy.net left intact

    curl -vvv --insecure www.spacejamanewlegacy.net
     < HTTP/1.1 302 Found
     < Date: Fri, 16 May 2025 10:46:53 GMT
     < Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
     < X-Powered-By: PHP/8.0.30
     < Strict-Transport-Security: max-age=15768000
     < Upgrade: h2,h2c
     < Connection: Upgrade
     < Location: https://www.spacejamanewlegacy.net/
     < Transfer-Encoding: chunked
     < Content-Type: text/html; charset=UTF-8
     \* Connection #0 to host www.spacejam.com left intact

3 comments

shakna

Reply
Thorrez  2 months ago

Your request to https://spacejam.com is redirected to https://www.spacejam.com/ .

Your request to http://www.spacejamanewlegacy.net is redirected to https://www.spacejamanewlegacy.net/ .

You never tried making a request to https://www.spacejam.com/ .

Go to https://reqbin.com/ and enter https://spacejam.com . It gives 1 redirect (to https://www.spacejam.com/ ) then HTML.

  • shakna  2 months ago

    I think you missed which servers are connected at the end of which request, there.

    Reqbin receives an upgrade request to HTTP2, that it never follows.

    • Thorrez  1 month ago

      The curl output you post confuses me. Can you post the full output? The output you posted didn't show a redirect loop. But since you cut out content, maybe there was a redirect loop that I can't see.

      Here's my full curl output. No redirect loop:

          curl -vvv --insecure https://spacejam.com
    * Rebuilt URL to: https://spacejam.com/
    *   Trying 75.2.104.223...
    * TCP_NODELAY set
    * Connected to spacejam.com (75.2.104.223) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: C=US; ST=California; L=Burbank; O=WARNER BROS. ENTERTAINMENT INC.; CN=www.spacejam.com
    *  start date: Jul 15 15:36:27 2024 GMT
    *  expire date: Aug 16 15:36:26 2025 GMT
    *  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: spacejam.com
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 302 Found
    < Date: Wed, 21 May 2025 07:29:29 GMT
    < Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
    < X-Powered-By: PHP/8.0.30
    < Strict-Transport-Security: max-age=15768000
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Location: https://www.spacejam.com/
    < Content-Length: 0
    < Content-Type: text/html; charset=UTF-8
    <
    * Curl_http_done: called premature == 0
    * Connection #0 to host spacejam.com left intact


    curl -vvv --insecure https://www.spacejam.com
    * Rebuilt URL to: https://www.spacejam.com/
    *   Trying 52.87.20.172...
    * TCP_NODELAY set
    * Connected to www.spacejam.com (52.87.20.172) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: C=US; ST=California; L=Burbank; O=WARNER BROS. ENTERTAINMENT INC.; CN=www.spacejam.com
    *  start date: Jul 15 15:36:27 2024 GMT
    *  expire date: Aug 16 15:36:26 2025 GMT
    *  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: www.spacejam.com
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Wed, 21 May 2025 07:30:35 GMT
    < Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
    < X-Powered-By: PHP/8.0.30
    < Strict-Transport-Security: max-age=15768000
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Vary: Accept-Encoding
    < Transfer-Encoding: chunked
    < Content-Type: text/html; charset=UTF-8
    <
    <!doctype html>
    <html lang="en">
    <head>
            <meta charset="utf-8">
            <meta http-equiv="X-UA-Compatible" content="IE=edge">
            <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
            <title>
                    Space Jam: A New Legacy | Official Site </title>
    ...
    </body>
    * Curl_http_done: called premature == 0
    * Connection #0 to host www.spacejam.com left intact
    </html>


    curl -vvv --insecure www.spacejamanewlegacy.net
    * Rebuilt URL to: www.spacejamanewlegacy.net/
    *   Trying 52.11.38.202...
    * TCP_NODELAY set
    * Connected to www.spacejamanewlegacy.net (52.11.38.202) port 80 (#0)
    > GET / HTTP/1.1
    > Host: www.spacejamanewlegacy.net
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 301 Moved Permanently
    < Date: Wed, 21 May 2025 07:32:05 GMT
    < Content-Type: text/html; charset=iso-8859-1
    < Content-Length: 233
    < Connection: keep-alive
    < Server: nginx
    < Location: https://www.spacejam.com/
    < Cache-Control: max-age=600
    < Expires: Wed, 21 May 2025 07:37:50 GMT
    <
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href="https://www.spacejam.com/">here</a>.</p>
    </body></html>
    * Curl_http_done: called premature == 0
    * Connection #0 to host www.spacejamanewlegacy.net left intact

      >Reqbin receives an upgrade request to HTTP2, that it never follows.

      You mean Reqbin receives a response with an Upgrade: h2,h2c header? That's not exactly a request to upgrade. That's the server advertising that it supports those protocols for upgrading. The client is free to ignore them. Also, h2 is actually an invalid upgrade protocol, not listed in the standard:

      https://www.iana.org/assignments/http-upgrade-tokens/http-up...

      https://stackoverflow.com/questions/67583138/why-does-the-ht...

      According to that SO post, Apache advertises Upgrade: h2, h2c in its responses, but if the client attempts to upgrade to h2, Apache ignores it. So I believe Reqbin is doing the correct thing in not upgrading to h2. As for upgrading to h2c, that also wouldn't be possible, because that header was sent in response to an https:// request, but h2c only makes sense when upgrading from an http:// request.