How to redirect HTTP to HTTPS on AWS Application Load Balancer

amazon-elbamazon-web-serviceshttphttpsredirect

Our website needs HIPAA compliance so everything needs to be encrypted. I don't want client to get an error message when they put in "http://mysite.com", so I need to support both HTTP and HTTPS, and redirect HTTP to HTTPS. Am I right?

I did it correctly on the web servers. So if I directly connect to the web servers, HTTP is automatically redirected to HTTPS. All good.

But the web servers are sitting behind an AWS Application Load Balancer. I don't know how to redirect HTTP to HTTPS on the ELB. So client browsers can still connect to the ELB through HTTP.

How to set up HTTP => HTTPS on an AWS Application Load Balancer?

In other words, I am sure the connection between the ELB and web servers are HTTPS, but how to make sure the connection between the client browsers and the ELB are HTTPS?

Best Answer

You can add the below listed configuration to your .htaccess file. But before that make sure mod_rewrite is enabled on server and .htaccess file is not denied.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

For detailed explanation kindly go through the official documentation from aws end. https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Ssl – Possible to redirect from HTTPS to HTTP behind load-balancer

Yes, the F5 may be intercepting and rewriting the redirect to be HTTPS.

Find the HTTP Profile that is associated with your Virtual Server. What is "Rewrite Redirects" set to? Since you're the developer of the app, you probably want None. (Remember to make a new HTTP profile for your app rather than edit the default one.)

This option is designed to handle redirects from applications that aren't really SSL Offload aware.

There's a good article about this option on DevCentral.

On a related note, why are you redirecting back to HTTP? If your BIG-IP is hardware (not Virtual Edition) then it probably handles 500-2000 SSL TPS depending on licensed modules. What is your traffic load? I'm guessing you're unlikely to be establishing over 500 new SSL connections per second. It could be easier and more secure to keep everything on HTTPS.

Best Answer

Related Solutions

Nginx – In Nginx, how can I rewrite all http requests to https while maintaining sub-domain

Correct way in new versions of nginx

Ssl – Possible to redirect from HTTPS to HTTP behind load-balancer

Related Topic