so I can't see where the server is trying to force https. This is important because the bugserver sends out bug reports with URLs them, and when I click them they open in Safari, where they fail.

In this case, the issue affects only version 2.4.49 of Apache’s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.

I run both IIS and Apache Web servers in my honeynet. The Apache Web server gets attacked significantly more than the IIS server does. Also, most reported hacks are against Apache Web servers.