Redirecting HTTP to HTTPS behind load balancer

Question

I'm moving an ASP.NET Core application to AWS Beanstalk and I'm having an issue forcing HTTPS for all requests. The useful error from the logs is:

Failed to determine the https port for redirect.

According to the docs on enforcing HTTPS:

If requests are forwarded in a reverse proxy configuration, use Forwarded Headers Middleware before calling HTTPS Redirection Middleware. Forwarded Headers Middleware updates the Request.Scheme, using the X-Forwarded-Proto header

Based on my setup it looks like it should be correct:

public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
    // aws ssl termination
    app.UseForwardedHeaders(new ForwardedHeadersOptions() {
        ForwardedHeaders = ForwardedHeaders.XForwardedProto
    });

    if (env.IsDevelopment()) {
        app.UseDeveloperExceptionPage();
    } else {
        app.UseExceptionHandler("/error/500");
        app.UseHsts();
    }

    app.UseHttpsRedirection();

    // lots of other stuff removed for brevity
}

The load balancer is accepting requests on HTTP (80) and HTTPS (443) and the application is setup in IIS to only accept requests on HTTP (80). This and the error message makes it seem related to an announcement they made, but based on the docs I would expect the forward headers middleware to resolve the issue.

Update

If instead of using UseHttpsRedirection I switch to using the RequireHttpsAttribute and AddRedirectToHttps rewrite middleware the redirects work correctly. It's just the UseHttpsRedirection middleware that I can't get working.

Answer 1

Okay me summarize the comments:

My load balancer isn't performing the HTTPS redirection, so that's why I think I need the middleware. Unless I'm misunderstanding?

So you send an HTTP request to the proxy, which is redirected to your application and then you get that error?

This is because the X-Forwarded-Proto headers have the value http and the Https Redirection middleware won't recognize it as secure protocol and try to redirect.

As per documentation , https configuration is required for the UseHttpsRedirection :

A port must be available for the middleware to redirect an insecure request to HTTPS. If no port is available:

• Redirection to HTTPS doesn't occur.
• The middleware logs the warning "Failed to determine the https port for redirect."

HTTPS requests (to the proxy) on the proxy should then work, since the X-Forwarded-Proto header are set to https and the redirection Middleware should skip it.

In this case, you have to configure https on the application too (since its required for the middleware). It can be a self-signed certificate, in a reverse proxy configuration it the 443 on the ASP.NET Core app should never be hit. You don't even have to expose the port (when using Docker).

Alternatively, handle the https redirection on the reverse proxy itself. This is the better approach, as the requests will never hit your application in the first place unless its https.