0

I'm trying to implement HTTPS in my application. It is a JHipster/SpringBoot app which runs on port 8080. I implemented HTTPS via AWS, to make things easier because the certificate could be handled/renewed automatically by the AWS certificate manager service.

So I didn't change anything on my server. I generated a certificate on AWS and configured a LoadBalancer rule to redirect from 443 to 8080 using the generated certificate. When I try access my domain using explicitly HTTPS it works like a charm.

The problem is that I also want to redirect HTTP access to HTTPS, then I tried to add a rule to redirect 80 to 443, so it would fall in the first rule (443 to 8080) and use the certificate, but it doesn't work. Researching online I found I should add some lines to my .htacess file, but doesn't work also. I think that's not the solution in my case, since all the HTTPS stuff is on AWS side, is there a way to redirect HTTP to HTTPS only via AWS without changing my server?

trufrgs
  • 81
  • 1
  • 7

2 Answers2

1

You would need to treat the HTTP traffic to HTTPS redirection as also part of your application and accommodate necessary rules and configurations.

For instance, you would start with opening the ELB for PORT 80 (HTTP) which would be handled by the web servers listening in 80 or any port to perform the redirection [separate listener]

If you are using Apache web server, you would be required rules like

<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
...
</VirtualHost>

Reference :

  1. http://www.emind.co/how-to/how-to-force-https-behind-aws-elb/
  2. Rerouting all http traffic to https with AWS ELB
Community
  • 1
  • 1
Naveen Vijay
  • 15,928
  • 7
  • 71
  • 92
1

The answer above didn't worked for me, because I didn't use such file. I end up doing a BackEnd filter like this:

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class HttpToHttpsFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {
        // Nothing to destroy
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        String protocol = httpRequest.getHeader("X-Forwarded-Proto");
        if (protocol != null) {
            if(protocol.toLowerCase().equals("https")) {
                httpResponse.setHeader("Strict-Transport-Security", "max-age=60");
            }
            else if(protocol.toLowerCase().equals("http")) {
                String host = httpRequest.getServerName();
                String requestURI = httpRequest.getRequestURI();
                String redirectUrl = "https://" + host + requestURI;
                httpResponse.sendRedirect(redirectUrl);
                return;
            }
        }

        chain.doFilter(request, response);
    }
}
trufrgs
  • 81
  • 1
  • 7