stackoom
  简体   繁体   中英

Redirecting AWS ELB HTTP Requests to HTTPS

 原文  2018-04-10 12:58:03       amazon-web-services/ ssl/ nginx/ amazon-elb/ amazon-ecs

Question

When we use AWS Application Load Balancer to redirect incoming requests to our servers, we created an SSL certificate and set it to the load balancer. It both listens HTTP 80 and HTTPS 443 ports' traffic. In both cases, traffic is redirected to target group instances' HTTP 80 port.

In these instances, there are nginx servers which are configured to listen HTTP 80 ports of the instance they are in. (These instances are Elastic Container Service instances)

When I update the nginx.conf file to redirect incoming HTTP requests to redirect to HTTPS protocol, we are facing a redirect loop. Even if the original request is an HTTPS request, behind the load balancer, EC2 instance is listening HTTP port. So it doesn't matter if the original request is HTTP or HTTPS, nginx infinitely sends redirect.

  1. I saw that Cloudfront is an option, but I'm not interested in using another service of AWS and paying them extra money just to overcome this issue.
  2. Other solution might be changing HTTP listener to HTTPS inside the instances registered to target group of the ELB. Since we are using ECS, we have to find a way to secure our SSL certificate keys while creating the docker image. I don't want to put our SSL certificate inside code repository for jenkins to use it. There will be extra work if I choose this solution.

Do you have any simpler ideas to fix this issue?

2 answers

solution1
 3  2018-04-10 14:20:23

Nginx will always get requests over HTTP, so obviously you can't tell it to redirect all HTTP requests. The ELB sets a special HTTP header on the requests it sends to your back-end servers, named x-forwarded-proto , that you need configure Nginx to use to check if the connection between the browser and the ELB is over HTTP or HTTPS, and only redirect if that is HTTP. I would check this answer on ServerFault.

solution2
 0  2018-04-10 14:29:21

As Mark B mentioned, checking the custom header values for the incoming prototol is the simplest way to handle this and eliminate the redirect loop.

However, if you want to ensure end-to-end encryption, you can deploy self-signed certificates in your containers. The load balancer does NOT require a valid, public certificate in order to connect to HTTPS origin.

That way you can forward port 80 on the ALB to port 80 on the target group (and you could even have a separate target group just for redirecting) and force the redirect as you're doing now, and forward port 443 on the ALB to port 443 on the target group.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Redirecting HTTP to HTTPS on AWS-ELB-Tornado Redirecting from Http to Https with AWS's ELB Automatically redirect HTTP to HTTPS in AWS ELB zf2 apache aws elb http to https Rerouting all http traffic to https with AWS ELB AWS ELB cloudformation by conditonsfor both HTTPS & HTTP Creating a AWS ELB serving http and https with Kubernetes Redirecting http to https using ReWrite rule using AWS sends all requests to default webroot instead of using ProxyPass Kubernetes HTTP to HTTPS Redirect on AWS with ELB terminating SSL Kubernetes SSL AWS ELB setup config map for HTTP to HTTPS Flask
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM