Access Manager 409 'Received a non-redirectable request on a secure service' message

  • 3315786
  • 10-Nov-2006
  • 26-Apr-2012


Access Manager 3 FCS build
Novell Identity Server 491
NetWare Access Gateway 3.0.153
Linux Access Gateway build 56


Configured a reverse proxy on an Access Gateway server (independent of NetWare or Linux platform). All SSL options from browser to proxy are enabled, including the redirect option to redirect HTTP requests to HTTPS. The protected resources for this reverse proxy did not require authentication. After applying changes, health check status looked fine.

Users could access the reverse proxy successfully via browsers. However some users started reporting 409 errors. The error description was the following:
'Received a non-redirectable request on a secure service. Change the URL from http to https and send the request again'


The error serves as a warning that secure data may be exchanged over an insecure HTTP channel. Change back end application so that all HTTP POST methods are sent to HTTPS directly, rather than HTTP.

Additional Information

The above 409 error occurs when a user-agent (browser or web based application) sends HTTP data to the secure reverse proxy using the POST method. The reverse proxy is setup to redirect HTTP requests to HTTPS and therefor the reverse proxy should redirect the POST request and data to HTTPS. The problem is that this POST data is sensitive data, that should be only sent over a secure channel. If the proxy were to redirect (via a HTTP 302 response) the POST data, it would potentially open up a security hole.

By changing the back end to send the POST data over HTTPS, there is no issue with redirections.