My application's URL is: abc.com. I have configured SSL in it and I am also using ELB that acts as the proxy server to the application. Now if someone hits www.abc.com, I want it(www.abc.com) to be redirected to abc.com and also SSL should work.
I have added www.abc.com to the DNS. Now www.abc.com is working but SSL is not working for the same. How can this be done in AWS. Is there any setting in ELB for the same.
Thanks in advance.
Related
I have a node server running on a linux aws lightsail server. I have used bncert-tool for an ssl certificate. I also have linked a domain to my instance. Now the problem im having is when I load my site with http:// I get ERR_EMPTY_RESPONSE but when I load the site with https:// the site loads as expected. I know I have to add an http to https redirection to my bitnami.config file but the bncert-tool automatically does that but I went ahead and checked if what's mentioned here is appied properly and everything checks out. Do I have to do anything else to automatically redirect all traffic on http to https? Any help is appreciated. Thanks in advance.
You can create public certificate for SSL from AWS Certificate Manager. After creation of certificate, you need to create new record as a Cname at the place where you managed your domain. After doing that, you will see, your website will have a SSL connection. More information about requesting a public certificate.
So I was able to get SSL certificate for my website and it is on AWS but for some reason when I input www.mydomain.com or mydomain.com it still shows unsecured on the browser but when I add https to mydomain.com it shows the secure icon. Please anyone with how to solve this?
The reason is the server has no redirection policy, you need to add redirection policy to redirect site from HTTP to HTTPs.
If you are using Application load balancer you can go through below article to set up HTTP to HTTPS redirection.
redirect-http-to-https-using-alb
If you are using Nginx, then you can look into redirect-http-to-https-in-nginx
https-everywhere
SSL in web applications is only carried out when your user loads the website using HTTPS. Generally in this situation you would want to perform a redirect (a 302 is more preferable initially than a 301 as it is not permanent in the event of a rollback).
There are a number of ways you can trigger a redirection without having to make any server changes, it all depends on your infrastructure setup.
If the first point of call is CloudFront you can update your viewer protocol policy to Redirect HTTP to HTTPS. CloudFront will redirect any HTTP request before they touch the origin.
If you're using an application load balancer then you can update your listener rule for HTTP to redirect HTTP to HTTPS. As with the above requests would not be forwarded to your host.
Otherwise if you're a Classic Load Balancer, Network Load Balancer or just plain EC2 then it falls to you modifying the configuration of your hosts to do the redirect (remembering to set to a 302).
Below are links for most common web servers:
Apache
Nginx
IIS
Tomcat
Once you're happy with the redirect, feel free to set as a 301.
The above answer work but in addition, if you are using a load balancer in your AWS EC2 instance you can follow this video link to the best explanation and practice.
How to redirect HTTP traffic to HTTPS in the EC2 Elastic Load Balancer
I have an EC2 instance which hosts a web site running in IIS. I have also set up a AWS Application Load Balancer with a HTTPS listener into which I have added my web site's SSL certificate (held in AWS Certificate Manager). The HTTPS listener redirects traffic to my target group which in turn points to my EC2 instance. The EC2 instance uses a security group to only allow traffic from the Load Balancer.
Firstly, am I correct in thinking that the Application Load Balancer decrypts the SSL traffic and as a result, this is forwarded to my target group using HTTP (in other words, my EC2 instance's security group only needs to accept HTTP traffic from the Load Balancer and I can remove my SSL certificate from IIS)?
Secondly, the main problem that I am experiencing at the moment is that the site has relative paths to some of the resources (CSS, JavaScript, etc). As a result I am getting mixed content errors in my FireFox console when I browse the site. I set up a HTTP listener in my Load Balancer to redirect traffic to HTTPS but this doesn't seem to be working for relative paths.
I don't particularly want to edit the site to change relative paths to fully qualified HTTPS URLs as it is a very complex content management system. Also, before using the Load Balancer the site was serving content perfectly (the DNS entry pointed to my EC2 instance's public IP address and there was a rewrite rule in IIS to handle non HTTPS traffic).
Any advice would be greatly appreciated.
For your first query, I think Yes. You can remove my SSL certificate from IIS and point EC2 instance's security group to accept HTTP traffic from the Load Balancer.
For your concern on relative path's problem, please go through this link: After introducing ALB, Mixed Content Error happened
I think it will be helpful.
Open your browser and click on the Network tab and check these call should be going somewhere else which is using HTTP, these are an outgoing call from your application and redirect will not fix these issue. see the screenshot
Seems like same error in your case, you serving images from some other side, not from the EC2, It's mean those request which EC2 server is supposed to answer will work fine, but those which your code try to pull JS file or other resources these are outgoing call and this is nothing to do with LB redirect rule.
Better to update your application and all the URLs to https.
When a user visits a page served over HTTPS, their connection with the
web server is encrypted with TLS and is therefore safeguarded from
most sniffers and man-in-the-middle attacks. An HTTPS page that
includes content fetched using cleartext HTTP is called a mixed
content page. Pages like this are only partially encrypted, leaving
the unencrypted content accessible to sniffers and man-in-the-middle
attackers. That leaves the pages unsafe.
Thanks for the replies. I managed to get to the bottom of the second issue. The site's web.config had a rewrite rule which was forcing URLs to lowercase (something to do with SEO). This was causing the problems when serving the CSS and JS files. I've made the necessary updates to this rule and it now appears to work (see IIS URL rewrite module url's to lowercase).
For the first issue, the SSL certificates do not need to be installed on the IIS web server - they are only required in AWS Certificate Manager and then to be assigned to the Load Balancer which in turn has 2 listeners - one to direct HTTPS traffic to my Target Group and one to redirect HTTP traffic to HTTPS.
My IIS site now only has HTTP bindings and only accepts HTTP traffic from the Load Balancer.
All seems to work!
I'm trying to set up my SSL certificate on my Elastic Beanstalk node website, but my HTTP routes aren't working properly.
I followed the instructions here to set up my load balancer for my EB, and it looks like the below.
https://i.imgur.com/hduzWZT.png
However I want it to go to HTTPS whenever I go to www.mywebsitecom, mywebsite.com.
At the moment it only goes to HTTPS if I manually type in https:// at the beginning of the URL, and only when I do https://www.mywebsite.com. It doesn't work at https://mywebsite.com.
Otherwise all traffic goes to unsecured HTTP on www.mywebsite.com (without typing the https).
I have set up the certificate properly I believe, and set the DNS A record in Route 53. Any help would be appreciated.
To change your CLB to ALB, refer the link: Migrating from CLB to ALB
Once that is done, make sure that you update your new ALB’s DNS name in your Route 53's Alias Target Field.
If everything is working fine, then you can delete your CLB.
Background
I am serving an application on AWS using Route53 + LoadBalancer + EC2.
I want to force all users to use https. Whenever a request is made on http, I want it redirected to a https request.
Potential Solutions
I know of three ways to redirect HTTP to HTTPS:
Client side. This involves using JS to check if the host is http or https, and redirecting if it's https.
Server Side. This involves configuring the webserver to redirect all http requests to https.
However, I'm curious: can this be done at the Route53 or LoadBalancer stage?
Question
Is there some way to configure Route53 or LoadBalancer so that any requests on http are redirected to https?
Thanks!
Edit
For downvoters: please explain why you are down voting. The solutions I have found on SO / Google are "how do do redirection via server, which is option 2. I'm trying to solve this at the AWS layer."
There is no point in doing 'client side redirect'. By the time the JS runs and does the redirect, is way too late. The request response content has already leaked all over the net. You must do it at the server side, respond with a 301 status and Location header, and no content. This can and should be done by your Web server stack (nginx, Apache) before hitting your app (php, node, etc).
ELB does not support redirect. It supports SSL/TLS offloading by forwarding the HTTPS traffic to HTTP target group and adding the X-Forwarded-proto headers, see How do I redirect HTTP traffic on my server to HTTPS on my load balancer?. But redirect must be handled by your back end server.
Latest Update:
AWS announces support for Redirects and Fixed Responses for Application Load Balancer with two new actions: redirect and fixed-response. This way you can configure the HTTP to HTTPS redirection at the Load Balancer Level.
I´ve had the same problem and this is how I solved it:
cd /etc/httpd/conf.d/elasticbeanstalk
nano 00_application.conf
add this inside
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://example.com [L,R=permanent]
</VirtualHost>
service httpd restart
Clear cookies from web browser and try the http to see if redirects
The AWS method to solve this is via AWS Cloudfront. You buy a URL through Route53 (you don't have to), then you create an SSL certificate within AWS certificate manager then you set up AWS cloudfront (where you need the certificate you just set up). Hey presto, site delivered to SSL with all the security of AWS set up for you and a very fast delivery service.