2

I have a number of IIS web servers behind an App Load Balancer (ALB). The web servers all have self-signed SSL certificate installed and redirect from HTTP to HTTPS using URL rewrite module properly setup:

enter image description here

If I directly access these web servers, HTTP will be redirected to HTTPS.

The protocol used by the target group is HTTPS.The ALB listens on both HTTP and HTTPS. It has a SSL certificate on "www.mysite.com".

However, when I tried to access the ALB using HTTP, it is not redirected to HTTPS. Now that the servers does redirect properly, why doesn't the ALB?

Silly Dude
  • 549
  • 2
  • 6
  • 19
  • 1
    Your target group is probably pointing to port 443. That way your webservers always receive requests on port 443 from the ALB, so they don't do any redirect. – Sergey Kovalev Sep 26 '17 at 07:44
  • You are right Sergey. So it should use port 80? – Silly Dude Sep 27 '17 at 02:22
  • But if I use port 80 on the target group, the ALB will insist in talking to the servers on port 80, while the servers insist in 443, the ALB will simply return "This site can’t be reached". I tried. – Silly Dude Sep 27 '17 at 03:00
  • 1
    One of the most popular workarounds is to put CloudFront in front of your website/ALB and tell CloudFront to redirect HTTP to HTTPS. – Sergey Kovalev Sep 27 '17 at 17:55

2 Answers2

2

It's now possible to directly do some redirection in any ALB rule, see related AWS announcement.

To unconditionally redirect all queries from HTTP to HTTPS, you have to configure the HTTP listener with only the default rule/action to permanently redirect (301) all request with the same host, path and query on the HTTPS port (typically: 443) with the HTTPS protocol: AWS ALB HTTP to HTTPS configuration with permanent redirect

Sylvain Bugat
  • 121
  • 1
  • 5
1

Assuming that you are running Microsoft Windows in an EC2 instance, and you are using IIS to configure two web sites, siteA and siteB. Set up siteA to bind at port 81 and siteB to bind at port 82.

STEP 1:
In AWS console, select "Target Groups" under "Load Balancing". Create two target groups:
1. siteA-target-group with your web server instance ID and port 81
2. siteB-target-group with your web server instance ID and port 82
Note: you can add more web server instances in the target group for load balancing and failover purposes.

STEP 2:
In AWS ALB, there are two listeners, one for port 80 and one for port 443.

For HTTP (80), add 2 rules:
1. if host is siteA.com, redirect to https://#{host}:443/#{path}?#{query}
2. if host is siteB.com, redirect to https://#{host}:443/#{path}?#{query} enter image description here

For HTTPS (443), add 2 rules:
1. if host is siteA.com, forward to siteA-target-group
2. if host is siteB.com, forward to siteB-target-group

STEP 3:
On your DNS provider, set up a CNAME for siteA.com to point at the ALB's DNS name. Similarly, set up a CNAME for siteB.com.

When the above setup is completed, test connecting to http://siteA.com or http://siteB.com

i) traffic hits the ALB port 80
ii) host header matches the rule "siteA.com" and redirect traffic to port 443
iii) traffic hits the ALB port 443
iv) host header matches the rule "siteA.com" and forward to target group siteA-target-group
v) siteA-target-group points at port 81 on the web server and the page is served.

bummi
  • 162
  • 2
  • 2
  • 9
John Ng
  • 11
  • 2