0

I have my website up with Elastic Beanstalk (as a VirtualHost): http://apptic.us-east-1.elasticbeanstalk.com/apptic/

I also have my domain at Namecheap: apptic.me

I've installed an SSL certificate to my Elastic Load Balancer, and ideally I'd like to use HTTPS. But my real concern is that for HTTPS non-www, the site does not redirect https://apptic.me to https://www.apptic.me -- it fails to show anything altogether.

I'm pretty sure that there's something wrong with my DNS settings rather than with my Elastic Beanstalk configuration, but I'm open to suggestions. The site properly redirects http://apptic.me, and it runs http://www.apptic.me without redirecting to https (not a huge concern of mine).

My current DNS settings are as follows:

CNAME Record: www => apptic.us-east-1.elasticbeanstalk.com.
URL Redirect Record: @ => https://www.apptic.me/

How can I change my DNS settings so all of the permutations of HTTP/HTTPS and non-www/www go to https://www.apptic.me? I would even be okay if http://apptic.me went to http://www.apptic.me and https://apptic.me went to https://www.apptic.me.

Neel
  • 143
  • 7

2 Answers2

3

The correct way to handle this isn't with DNS records. You're supposed to use Route 53 and set your domain to the custom nameservers that AWS provides. Here's the tutorial that I followed: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customdomains.html

I also ended up writing a blog post about this: https://www.apptic.me/blog/using-custom-domains-with-elastic-beanstalk.php

Neel
  • 143
  • 7
2

This isn't a DNS problem, as apex aliasing with CNAME is not legal per the DNS standards.

The "URL Redirect Record" functionality is custom behavior implemented by Namecheap's software. In the background, it results in an A record being defined for a webserver that will perform the redirection for you.

The webserver in question is not listening on port 443 (https), hence redirection fails.

$ dig +short apptic.me
162.255.119.250
$ nc -zv 162.255.119.250 443
nc: connect to 162.255.119.250 port 443 (tcp) failed: Connection refused

This is almost certainly due to the limitations of https, where most browsers expect the SSL certificate to present the name of the website prior to sending host headers. There is nothing for Namecheap to do here unless they are willing to devote an IP address to your redirection and associate a SSL cert with it that you provide. The alternative is for them to use a bogus SSL cert that generates security warnings, and rather than deal with that they appear to have elected to not listen on port 443 at all.

In short, this is a limitation of the redirection webserver, the limitation is unlikely to be fixed, and there are no DNS shortcuts for dealing with this problem. A seamless https redirect is going to require a dedicated https webserver with a valid, signed SSL cert. Once you have one, set your apex A record to its IP address.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • This was a great explanation. It also clears up what was going on behind the scenes for Namecheap's URL Redirection. That's unfortunate, though; I just switched from a dedicated server to AWS's Elastic Beanstalk for the scalability, and unfortunately this means that I can't reliably bind a static IP to the server. Another question: would it be possible for me to just have a dedicated server where I install the exact same SSL certificate, and all it does is redirect the user to www (which would work via the CNAME record)? Or do you think that this would be a waste of money? Please let me know. – Neel Apr 08 '16 at 08:19
  • That's precisely what you have to do for seamless https redirection, yes. It will work just fine in your scenario. If SSL warnings don't concern you, then it doesn't have to be a valid cert, but in user facing scenarios you can expect people to panic due to browser warnings. (panic generates tickets and e-mails, those cost money, etc.) – Andrew B Apr 08 '16 at 19:57