Redirect http traffic to https using Nginx on ELB

Question

I am having some trouble here trying to send my http traffic to https. So I am using Elastic Beanstalk from AWS to deploy a Rails 5 application called eightysixpad.me. I have configured SSL so when you go to https://www.eightysixpad.me it says secure and I am happy; however, when you go to http:// it says unsecure and I cannot figure out how to redirect the traffic.

I am very new to Nginx and Web Applications so any help would be greatly appreciated it! I have ssh'd into my EC2 instance and tried to configure the Nginx configure filed at /etc/nginx/nginx.conf with the following configuration settings.

server {
    listen         80;
    server_name   eightysixpad.me;
    if ($http_x_forwarded_proto != "https") {
      rewrite ^(.*)$ https://$server_name$1 permanent;
    }
    root         /usr/share/nginx/html;
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

But no luck :( I am pretty sure I am in the right file but if I make any changes that I think would break the site and not load properly, the site still works. So the first question I have, is this the correct file /etc/nginx/nginx.conf and if it isn't where are the nginx configurations kept? Second if it is the right file, what am I doing wrong?

Any other questions or more information please let me know!

Thank you in advance!

Answer 1

Your suspicion that /etc/nginx/nginx.conf isn't the right place to be making changes is correct. ElasticBeanstalk uses a separate location to store the nginx configuration files, namely /opt/elasticbeanstalk/support/conf . In that directory, you'll find files called nginx_config.erb and nginx_config_healthd.erb which are templates that are used to dynamically generate the nginx configurations at runtime.

That being said, you shouldn't need to muck with the config file at all. If you set config.force_ssl = true in production.rb , all http connections should be redirected to https. See the documentation for more details.

Answer 2

Scott Bradley's blog at the below link nicely summarizes the issue and how to resolve it on nginx, behind an ELB:

Always-On HTTPS With Nginx Behind an ELB

There are two main components that make up this solution:

A specific location directive for the health check URL that does not do any HTTPS enforcement. A redirect if the X-Forwarded-Proto: https header does not exist. For best-practice, we can add HTTP Strict Transport Security with the add_header directive here too. Below is an example of a simplified nginx config file demonstrating these.

upstream unicorn {
  server localhost:3000;
}

server {
  listen 90;
  server_name example.com;
  root /var/www/html;

  # 1) Special, somewhat redundant location to always proxy
  #    the health check to the upstream server, without checking
  #    if the request came in over HTTP or HTTPS.
  location /health_check {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_next_upstream error;
    proxy_pass http://unicorn;
    break;
  }

  # Our main location to proxy everything else to the upstream
  # server, but with the added logic for enforcing HTTPS.
  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_next_upstream error;

    # 2) Any request that did not originally come in to the ELB
    #    over HTTPS gets redirected.
    if ($http_x_forwarded_proto != "https") {
      rewrite ^(.*)$ https://$server_name$1 permanent;
    }

    proxy_pass http://unicorn;

    # Add HTTP Strict Transport Security for good measure.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
  }
}