stackoom
  简体   繁体   中英

AWS Elastic Load Balancer selectively enable SSL

 原文  2014-08-29 13:16:52       ruby-on-rails/ ssl/ amazon-web-services/ https/ amazon-elb

Question

I currently have a rails-based web app that requires a small subset of pages to be served over HTTP - but prefer to serve the rest over HTTPS. In my current AWS setup, SSL terminates at the elastic load balancer and all communication with my app servers is over HTTP. Because of this, solutions like Rack SSL Enforcer aren't appropriate. Currently, I'm serving the following JS snippet in each page to handle the redirect: 

<% if should_be_ssl? %>
<script>
  if (window.location.protocol != "https:"){
    window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
  }
</script>
<% else %>
<script>
if (window.location.protocol != "http:"){
  window.location.href = "http:" + window.location.href.substring(window.location.protocol.length);
}
</script>
<% end %>

This results in a relatively significant performance hit each time one of these pages is accessed. Does anyone know of a way to selectively serve certain pages over SSL and control this at the load balancer level?

1 answers

solution1
 1 ACCPTED  2014-08-29 14:50:47

This isn't currently supported in the ELB itself, however the ELBs provide an X-Forwarded-Proto header. You can check this to see whether the request from the client was over HTTPS. You can then serve a redirect response rather than the page content if necessary. See this blog post from the AWS guys for more information.

You'll have to implement this logic either

  1. with middleware, eg rack-ssl-enforcer

    Looking at the documentation for rack ssl enforcer , it appears to support the X-Forwarded-Proto out of the box, so you may not need to do anything at all. You can see in the source that the header is respected.

  2. in your application (probably with a redirect response rather than on the client)

  3. in a reverse proxy, eg an haproxy between your app server and the ELB 

     acl is_http hdr(X-Forwarded-Proto) http acl account_login url_beg /account/login redirect scheme https code 301 if account_login is_http

Depending on your configuration, if you have any other reverse proxies between the ELB and whatever's checking the header, you may need to configure those to pass the X-Forwarded-Proto header correctly. See this issue , for instance.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Elastic Beanstalk Load Balancer settings for SSL Enforce https connection on Rails using AWS elastic beanstalk load balancer Load Balancer Health Check After Applying AWS SSL certificates Elastic Load Balancer on port 443 works for forced SSL Ruby On Rails application, but why? How can i forcefully redirect http request to https in passenger standalone with aws elastic load balancer? Engine Yard Rails app - Terminating SSL at an Elastic Load Balancer (ELB) and passing X-Forwarded-Proto http header How do I selectively enable SSL in Rails 4 for certain paths? Is it necessary to force_ssl? Or should the SSL terminate at the load balancer? Rails production not work in AWS load balancer Rails on Elastic Beanstalk, Can't do a load balancer health check
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM