RequireHttps causes redirect loop on Amazon Elastic Load Balancer

7
votes

I have an ASP.NET MVC 4 application running behind Amazon's elastic load balancer. Everything works OK when I install my SSL certificate on the load balancer and the web server and terminate SSL at the web server layer.

However, when I attempt to terminate at the load balancer layer, forwarding internal traffic from the load balancer to web servers un-encrypted on port 80, the RequireHttps attribute causes a redirect loop. This seemingly makes sense as it is requesting an encrypted channel and doesn't know that it is getting one (between the browser and load balancer). Has anyone run into this same issue? Any suggestions would be appreciated!

Edit: The solution

The following links may be useful to anyone else who runs into this issue:

MVC3, RequireHttps and custom handler result in http 310

https://gist.github.com/915869

3
asp.net-mvcsslamazon-web-servicesload-balancing

3 Answers

7
votes

It seems that to use this functionality on AWS, you look at the "X-Forwarded-Proto" HTTP header item. If the initial request is HTTPS, the load balancer injects the header and it says "https". If it's HTTP, it says, "http".

Answer found here: http://aws.typepad.com/aws/2010/10/keeping-customers-happy-another-new-elastic-load-balancer-feature.html

6
votes

I was experiencing the same issue I found that the following RequireHttpsAttribute filter worked for me.

public class SSLFilter : RequireHttpsAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (filterContext.HttpContext.Request.IsLocal ||
            (filterContext.RequestContext.HttpContext.Request.Headers.AllKeys.Contains("X-Forwarded-Proto") &&
            filterContext.RequestContext.HttpContext.Request.Headers.Get("X-Forwarded-Proto").ToLower().Equals("https")))
        {
            return;
        }

        base.OnAuthorization(filterContext);
    }
}
1
votes

I provided a solution for this in the following link: https://stackguides.com/questions/37954796/requirehttpsattribute-with-netcore-rc2-causes-http302-redirect-loop-on-azure#=

Which says:

You can work around this by adding the following lines to ConfigureServices in Startup.cs (and add "using Microsoft.AspNetCore.HttpOverrides;")

services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders = ForwardedHeaders.XForwardedProto;
        });