14

Our website needs HIPAA compliance so everything needs to be encrypted. I don't want client to get an error message when they put in "http://mysite.com", so I need to support both HTTP and HTTPS, and redirect HTTP to HTTPS. Am I right?

I did it correctly on the web servers. So if I directly connect to the web servers, HTTP is automatically redirected to HTTPS. All good.

But the web servers are sitting behind an AWS Application Load Balancer. I don't know how to redirect HTTP to HTTPS on the ELB. So client browsers can still connect to the ELB through HTTP.

How to set up HTTP => HTTPS on an AWS Application Load Balancer?

In other words, I am sure the connection between the ELB and web servers are HTTPS, but how to make sure the connection between the client browsers and the ELB are HTTPS?

sandstrom
  • 498
  • 5
  • 11
Silly Dude
  • 549
  • 2
  • 6
  • 19
  • You don't do it on the LB. You do it on the instances, based off the `X-Forwarded-Proto` header the LB sends. – ceejayoz Sep 14 '17 at 13:59
  • I am not a server person - I am a C# programmer, so please excuse me for being dumb - I have used URL rewrite module to setup the redirection on the Windows server. It works if I directly connect to the server. But if I connect to the ELB, I can still connect with HTTP. Why? – Silly Dude Sep 14 '17 at 14:07
  • Is the ALB listening on 443 with an SSL Certificate on it? To be sure in your question, you're also want SSL between the ALB and the servers? – strongjz Sep 15 '17 at 13:45
  • https://serverfault.com/questions/875477/aws-how-to-redirect-http-to-https-on-app-load-balancer – net_prog Sep 26 '18 at 10:45

4 Answers4

15

As of July 2018, this is supported on application load balancers.

  • Add/Edit your HTTP:80 listener
  • Set the action to Redirect
  • protocol: https
  • port: 443
  • set the next dropdown to Original host, path, query
  • set the last dropdown to 301 - Permanently moved

Image of settings for an HTTP to HTTPS listener on AWS application load balancer

John Pope
  • 151
  • 1
  • 4
1

As of today, the listeners configuration doesn't give the option to redirect HTTP.

If you want to do it, you have to edit your nginx configuration.

You need to be careful not stop the LB from sending HTTP healthchecks. That can be avoided by configuring healthchecks to use HTTPS or by carefully considering it in the nginx configuration file.

This is the configuration I use to write the forwarding configuration in my Elastic Beanstalk environment: Elastic Beanstalk configuration to redirect HTTP to HTTPS (place this inside .ebextensions folder and deploy)

You can either use it if you are using EB or you can read the configuration and write it manually.

Edhowler
  • 111
  • 2
1

Usually what happens is that the ELB is set to receive https (port 443) and forward to EC2 instance (load balancer target) on http (port 80).

The backend web server redirects these requests to port 443 on the load balancer, causing an infinite loop of redirection (between the load balancer and the backend web server).

A common error message is ERR_TOO_MANY_REDIRECTS.

The solution is to look at the X-Forwarded-Proto, which is the protocol as seen by the load balancer, when deciding on redirection.

For nginx the config will look like this:

server {
    listen   80;
    server_name    www.example.org;   
    if ($http_x_forwarded_proto = 'http') {
         return 301 https://$server_name$request_uri;   
    }
}

and for apache .htaccess something like this:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

NOTE: Although one might think it would be convenient if this could be handled without webserver reconfiguration, as of spring 2018 there is no way of solving this using only ELB, i.e. you must configure your webserver to make this work.

sandstrom
  • 498
  • 5
  • 11
-4

You can add the below listed configuration to your .htaccess file. But before that make sure mod_rewrite is enabled on server and .htaccess file is not denied. 

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

For detailed explanation kindly go through the official documentation from aws end. https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/

imvikasmunjal
  • 695
  • 7
  • 14
  • 7
    This answer seems to involve the [Apache HTTP Server](https://httpd.apache.org/) – Paul Draper Dec 09 '17 at 20:54
  • 2
    OP asks how to configure the ELB so you explain how to configure Apache? They explicitly said they've already configured Apache to do the redirect. Please delete your answer. – Cerin May 05 '19 at 01:16