I'm having trouble setting up my HTTPS on AWS Elastic Beanstalk. My current problem is that, although HTTPS is working, the user must include the port number.
My aim is to get "example.xyz" to redirect to "https://example.xyz". At the moment I have to go to the address: "example.xyz:433" to access the EB.
Currently, I'm only trying to the the HTTPS working for the EB Load Balancer. It will communicate with the EC2s via HTTP. Ideally I'd have end-to-end encryption, but 1 step at a time you know.
Setup:
- Node.js v8.11.1 on 64bit Amazon Linux/4.5.0
- Classic load balancer
- My logs are being sent to CloudWatch
- I have my own domain - bought through Route 53.
I've redirected the traffic from the domain to my AWS EB using ALIAS:
name: "" Type: A IPv4 (default) Routing Policy: Simple (default) Evaluate Target Health: NoI've set up a certificate using ACM
I've used the following *.config to get my load balancer to listen for HTTPS:
option_settings: aws:elb:listener:433: SSLCertificateId: arn:aws:acm:us-east-X:XXXXXXXX:certificate/XXXXXXXXX ListenerProtocol: HTTPS InstancePort: 80
Resulting port setup (from EB console):
- Port: 80
- Protocol: HTTP
- Instance Port: 80
- SSL: ---
- Enabled: On
and
- Port: 433
- Protocol: HTTPS
- Instance Port: 80
- SSL: XXXXX
- Enabled: On
I've used both Apache & Nginx to try this. After digging through the internet I found instructions to get these servers for forcing HTTP to HTTPS. Here are the examples I've used:
Apache:
files:
"/etc/httpd/conf.d/ssl_rewrite.conf":
mode: "000644"
owner: root
group: root
content: |
RewriteEngine On
<If "-n '%{HTTP:X-Forwarded-Proto}' && %{HTTP:X-Forwarded-Proto} != 'https'">
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</If>
Nginx:
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
logger -t nginx_rw "https rewrite rules added"
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
container_commands:
00_appdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
01_configdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
02_rewrite_hook_perms:
command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
03_rewrite_hook_ownership:
command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
Apache source: How to force https on elastic beanstalk?
Nginx source: https://adamjstevenson.com/tutorials/2017/02/02/configuring-and-forcing-https-for-aws-elastic-beanstalk.html
Both servers seem to have the some problem however I haven't been able to access the apache logs as they haven't turned up in my CloudWatch.
But here is the behaviour I observe along with logs from the nginx server:
1) Go to: example.xyz:433
Works correctly, browser says we are secure. Nginx log out:
172.31.16.42 - - [16/May/2018:07:54:34 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" "171.6.246.51"
Note that the 304 direct setup for nginx is working
2) Go to: example.xyz
Request spins for ages, eventually times out.
No logout output. But when the request eventually times out the address bar is filled with : https://example.xyz/ which to me is another indication the redirection is working.
Can anyone suggest how to sort this out? Let me know if you need more information.
Cheers
Stupidly was using 433 instead of 443. That's sorted it all out. Thanks to @Evyatar Meged for pointing it out.