How to redirect HTTP to HTTPS on AWS Application Load Balancer?

amazon-web-services https http redirect amazon-elb

24,931

Solution 1

You can add the below listed configuration to your .htaccess file. But before that make sure mod_rewrite is enabled on server and .htaccess file is not denied.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

For detailed explanation kindly go through the official documentation from aws end. https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/

Solution 2

As of July 2018, this is supported on application load balancers.

Add/Edit your HTTP:80 listener
Set the action to Redirect
protocol: https
port: 443
set the next dropdown to Original host, path, query
set the last dropdown to 301 - Permanently moved

Image of settings for an HTTP to HTTPS listener on AWS application load balancer

Solution 3

Usually what happens is that the ELB is set to receive https (port 443) and forward to EC2 instance (load balancer target) on http (port 80).

The backend web server redirects these requests to port 443 on the load balancer, causing an infinite loop of redirection (between the load balancer and the backend web server).

A common error message is ERR_TOO_MANY_REDIRECTS.

The solution is to look at the X-Forwarded-Proto, which is the protocol as seen by the load balancer, when deciding on redirection.

For nginx the config will look like this:

server {
    listen   80;
    server_name    www.example.org;   
    if ($http_x_forwarded_proto = 'http') {
         return 301 https://$server_name$request_uri;   
    }
}

and for apache .htaccess something like this:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

NOTE: Although one might think it would be convenient if this could be handled without webserver reconfiguration, as of spring 2018 there is no way of solving this using only ELB, i.e. you must configure your webserver to make this work.

Solution 4

As of today, the listeners configuration doesn't give the option to redirect HTTP.

If you want to do it, you have to edit your nginx configuration.

You need to be careful not stop the LB from sending HTTP healthchecks. That can be avoided by configuring healthchecks to use HTTPS or by carefully considering it in the nginx configuration file.

This is the configuration I use to write the forwarding configuration in my Elastic Beanstalk environment: Elastic Beanstalk configuration to redirect HTTP to HTTPS (place this inside .ebextensions folder and deploy)

You can either use it if you are using EB or you can read the configuration and write it manually.

View more solutions

24,931

Silly Dude

Updated on September 18, 2022

Comments

Silly Dude over 1 year

Our website needs HIPAA compliance so everything needs to be encrypted. I don't want client to get an error message when they put in "http://mysite.com", so I need to support both HTTP and HTTPS, and redirect HTTP to HTTPS. Am I right?

I did it correctly on the web servers. So if I directly connect to the web servers, HTTP is automatically redirected to HTTPS. All good.

But the web servers are sitting behind an AWS Application Load Balancer. I don't know how to redirect HTTP to HTTPS on the ELB. So client browsers can still connect to the ELB through HTTP.

How to set up HTTP => HTTPS on an AWS Application Load Balancer?

In other words, I am sure the connection between the ELB and web servers are HTTPS, but how to make sure the connection between the client browsers and the ELB are HTTPS?
- ceejayoz over 6 years
  
  You don't do it on the LB. You do it on the instances, based off the X-Forwarded-Proto header the LB sends.
- Silly Dude over 6 years
  
  I am not a server person - I am a C# programmer, so please excuse me for being dumb - I have used URL rewrite module to setup the redirection on the Windows server. It works if I directly connect to the server. But if I connect to the ELB, I can still connect with HTTP. Why?
- strongjz over 6 years
  
  Is the ALB listening on 443 with an SSL Certificate on it? To be sure in your question, you're also want SSL between the ALB and the servers?
- net_prog over 5 years
  
  serverfault.com/questions/875477/…
Paul Draper over 6 years

This answer seems to involve the Apache HTTP Server
Cerin about 5 years

OP asks how to configure the ELB so you explain how to configure Apache? They explicitly said they've already configured Apache to do the redirect. Please delete your answer.