Background
I am serving an application on AWS using Route53 + LoadBalancer + EC2.
I want to force all users to use https. Whenever a request is made on http, I want it redirected to a https request.
Potential Solutions
I know of three ways to redirect HTTP to HTTPS:
Client side. This involves using JS to check if the host is http or https, and redirecting if it's https.
Server Side. This involves configuring the webserver to redirect all http requests to https.
However, I'm curious: can this be done at the Route53 or LoadBalancer stage?
Question
Is there some way to configure Route53 or LoadBalancer so that any requests on http are redirected to https?
Thanks!
Edit
For downvoters: please explain why you are down voting. The solutions I have found on SO / Google are "how do do redirection via server, which is option 2. I'm trying to solve this at the AWS layer."
There is no point in doing 'client side redirect'. By the time the JS runs and does the redirect, is way too late. The request response content has already leaked all over the net. You must do it at the server side, respond with a 301 status and Location header, and no content. This can and should be done by your Web server stack (nginx, Apache) before hitting your app (php, node, etc).
ELB does not support redirect. It supports SSL/TLS offloading by forwarding the HTTPS traffic to HTTP target group and adding the X-Forwarded-proto headers, see How do I redirect HTTP traffic on my server to HTTPS on my load balancer?. But redirect must be handled by your back end server.
Latest Update:
AWS announces support for Redirects and Fixed Responses for Application Load Balancer with two new actions: redirect and fixed-response. This way you can configure the HTTP to HTTPS redirection at the Load Balancer Level.
I´ve had the same problem and this is how I solved it:
cd /etc/httpd/conf.d/elasticbeanstalk
nano 00_application.conf
add this inside
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://example.com [L,R=permanent]
</VirtualHost>
service httpd restart
Clear cookies from web browser and try the http to see if redirects
The AWS method to solve this is via AWS Cloudfront. You buy a URL through Route53 (you don't have to), then you create an SSL certificate within AWS certificate manager then you set up AWS cloudfront (where you need the certificate you just set up). Hey presto, site delivered to SSL with all the security of AWS set up for you and a very fast delivery service.
Related
I have hosted my node.js app on AWS EC2.
I don't have a domain name for my nodejs app. I am running it on Public IPv4 address 54.242.85.178.
I have a domain for my front end and its running on https so when https and http comes I am getting the following error:
Mixed Content: The page at 'https://www.wixten.com/query/622c64b4a12ed5002313daf5' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://54.242.85.178/answersapi/622c64b4a12ed5002313daf5'. This request has been blocked; the content must be served over HTTPS.
Based on the error, your frontend is making HTTPS calls to an HTTP endpoint (on the ip 54.242.85.178), hence you have that error. I am guessing you're using ajax to make that call.
For a quick fix, you can update your frontend to make HTTP calls to your backend, This will sort out this issue, however this is HIGHLY NOT recommended but it will help you understand the issue better.
Ideally, you have to add an SSL certificate on your backend as well, then you can make HTTPS calls to it from your frontend.
The error says it all - you can't mix https and http. You have to go through your source code and eliminate all http urls and substitute them for proper https urls.
I want to look for a feature on ALB AWS that can update http to https on its own just like in the NGINX load balancer , currently I have a website that uses wordpress but when using ALB, the website only shows text , is there another way to upgrade the url from http to https without having to edit the code?
Yes, you can redirect http to https as explained in AWS docs:
How can I redirect HTTP requests to HTTPS using an Application Load Balancer?
For that you need your own domain name. Once you have the domain you can the SSL certificate for HTTPS from Amazon Certificate Manager which you can deploy on your ALB.
So I was able to get SSL certificate for my website and it is on AWS but for some reason when I input www.mydomain.com or mydomain.com it still shows unsecured on the browser but when I add https to mydomain.com it shows the secure icon. Please anyone with how to solve this?
The reason is the server has no redirection policy, you need to add redirection policy to redirect site from HTTP to HTTPs.
If you are using Application load balancer you can go through below article to set up HTTP to HTTPS redirection.
redirect-http-to-https-using-alb
If you are using Nginx, then you can look into redirect-http-to-https-in-nginx
https-everywhere
SSL in web applications is only carried out when your user loads the website using HTTPS. Generally in this situation you would want to perform a redirect (a 302 is more preferable initially than a 301 as it is not permanent in the event of a rollback).
There are a number of ways you can trigger a redirection without having to make any server changes, it all depends on your infrastructure setup.
If the first point of call is CloudFront you can update your viewer protocol policy to Redirect HTTP to HTTPS. CloudFront will redirect any HTTP request before they touch the origin.
If you're using an application load balancer then you can update your listener rule for HTTP to redirect HTTP to HTTPS. As with the above requests would not be forwarded to your host.
Otherwise if you're a Classic Load Balancer, Network Load Balancer or just plain EC2 then it falls to you modifying the configuration of your hosts to do the redirect (remembering to set to a 302).
Below are links for most common web servers:
Apache
Nginx
IIS
Tomcat
Once you're happy with the redirect, feel free to set as a 301.
The above answer work but in addition, if you are using a load balancer in your AWS EC2 instance you can follow this video link to the best explanation and practice.
How to redirect HTTP traffic to HTTPS in the EC2 Elastic Load Balancer
I use an Application Load Balancer in AWS as an API Gateway: for forwarding requests to different applications running in AWS. I have configured it with both support for HTTP and HTTPS. A HTTPS listener contains all logical rules for requests forwarding. And a HTTP listener is configured with a single rule: to redirect all traffic to the HTTPS listener ({host}:443/#{path}?#{query}) and to return 301.
HTTPS works perfectly. And HTTP works fine for GET requests. But I found that POST requests to HTTP are converted to GET requests when being redirected to HTTPS, which obviously ends up with 404.
I found online that the problem is in 301 status (https://rtfm.co.ua/en/http-redirects-post-and-get-requests-and-lost-data/#The_root_cause_3xx_redirects_and_HTTP_RFC). But unfortunately there is no option in AWS ALB rules to redirect requests and to return 307 instead of 301.
So does anyone know how I can fix this issue?
Thank you!
We have a similar setup. What we do is let the HTTP request pass through to the application server There the application detects the HTTP protocol and does a software-based 301 redirect as a POST to HTTPS. This moves the specialized protocol handling from the ALB to the application itself. Works great. Any application server would be easy to set up in this way.
I also faced the same issue when the http to https redirection is enabled. Just disable automatic https redirection and directly hit the https route.
Could not find any alternate solution other than this.
Is there any aws product that allows to proxy HTTP to HTTPs without having to spin up a EC2 instance and setup nginx or whatever?
Tried API Gateway but seems to only allow HTTPS
Tried putting cloudfront in front of API gateway but all it does is redirect the request.
Not sure if there is any way to do what I need? For legacy reasons (which cannot change so don't bother suggesting that) I need a way to expose an HTTP endpoint and internally proxy it to my host through HTTPS.
I was hoping there's a service I could use to avoid having to manage and maintain another instance.
Cheers!
You can't Proxy HTTP to HTTPS, that wont work. You must redirect. You mention without having to setup nginx or whatever. Nginx would simply redirect your HTTP request to HTTPS. Same as Cloudfront would do. You can use Cloudfront to redirect HTTP to HTTPS without using API gateway.
Reading your question again, your application only listens on 443? If that is the case use Cloudfront or stick a docker container(nginx) on the EC2 host where your application runs.