Forwarding http to https in AWS Load Balancers

0
votes

I'm using Elastic Beanstalk, and I installed my SSL certificate in my EB load balancer. Every time the server is not healthy, the load balancer delete the instance and creates a new one, which means I'm gonna lose my redirection codes and SSL set up that I installed inside the instance.

That's why I installed my SSL on the load balancer. However, how can I redirect HTTP to HTTPS on the load balancer?

I used to redirect by putting the below codes inside the instance, but if I keep doing this way, when the load balancer removes an unhealthy instance, I'm gonna lose my redirection from HTTP to HTTPS.

What should I do?

<VirtualHost _default_:80>
  ServerName (domain).com
  ServerAlias www.(domain).com
  RedirectPermanent / https://www.(domain).com/
</VirtualHost>

<VirtualHost _default_:443>
  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^(.*) https://www.%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

UPDATE

Here's my listeners on Load Balancers in EC2

enter image description here

3
aws-load-balancer

3 Answers

3
votes

When using a load balancer in AWS, the common use case is to install the SSL certificate on the load balancer. This is commonly called SSL offloading or Layer 7 load balancing. Traffic from the load balancer to the EC2 instance is not encrypted and typically over port 80 (sometimes 8080) (HTTP). Traffic from the client to your load balancer is defined by the listeners that you created.

Layer 4 load balancing uses TCP to talk to your EC2 instance and you install the SSL certificate on your web server. Your web server then knows what port the client is connecting on and the following DOES NOT APPLY.

Your code running your website needs to check if the client connected to the load balancer using HTTPS. If true, don't redirect the client. If the client connected to the load balancer using HTTP, then redirect the client.

The following PHP code shows how to read the Load Balancer headers that are sent to your EC2 instance to determine if the client connected over HTTPS. If you are not using a language such as PHP or Nodes.js, you can also create Apache configurations that know how to read the correct headers (example at the bottom).

function require_ssl()
{
        global $config_require_ssl;

        if ($config_require_ssl == FALSE)
        {
                return;
        }

        if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']))
        {
                if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
                {
                       $_SERVER['HTTPS']='on';
                }
        }

        if(empty($_SERVER['HTTPS']) || $_SERVER["HTTPS"] != "on")
        {
                header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

                exit();
        }
}

This is the code for Apache:

<VirtualHost *:80>
    RequestHeader set X-Forwarded-Proto "http"
    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    …
</VirtualHost>
0
votes

You'll need to set up the application that you've got running in Elastic Beanstalk to configure Http to Https redirection.

Then when setting up the Load Balancer through Elastic Beanstalk create 2 listeners one for port 80 and one for 433, which both forward on.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb.html

0
votes

You can offload the SSL traffic at the Application Load Balancer(ALB) and the communication between ALB and you can configure the redirection from http to https using EC2 web server configuration.

You are right that if there no running servers the redirection won't work. Infact the response will be a different error where the resource is not accessible. If you configure the autoscaling and load balancing with more than one instance, for most of the cases at least one healthy instance should be able to do the redirection.