I agree it could be something in layer 4, but when you get back to testing, I think your URL needs a bit of tweaking as well - it’s /masthead/masthead.afxm, not /masthead.afxm that we need to retrieve.
The message about “TLS connection was non-properly terminated” is an example of exactly what a Layer-4 firewall would do, and makes it difficult to troubleshoot for the application owner.
The firewall will allow the TCP SYN/ACK/SYN-ACK on port 52311 , and then as soon as the Layer-4 firewall detects that the traffic is the (disallowed) HTTPS instead of the (allowed) HTTP, the firewall sends a TCP RESET to both the client and server on the connection, and blocks any further traffic. The client and server, if they log anything, would log “Connection reset by peer”.