4

I am using an application load balancer to map certain paths to one server (Apache) and other paths to another server (Tomcat).

I made all pages on my site available via https by setting up an https listener on the load balancer.

So that requests from client to load balancer are encrypted but from load balancer to servers are not.

Now, I would also like to redirect all http requests to https.

Are there any suggestions how I can do this?

I can redirect each server separately (ie: redirect tomcat http requests as outlined here and redirect Apache http request with redirect rules). However, I was wondering if there is a simpler way to do it (ie: where I would only have 1 redirect rather than a separate redirect for each server).

Thanks.

theyuv
  • 1,556
  • 4
  • 26
  • 55
  • 1
    Have you looked into implementing HSTS? https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security – mikwat Apr 30 '17 at 18:32
  • 1
    Thanks. I did not know much about HSTS, but as I understand it, even if I do implement HSTS I would need to do so in addition to redirects (not instead of)...Therefore my question still stands. – theyuv Apr 30 '17 at 18:59
  • 4
    The load balancer isn't capable of issuing redirects. You have to configure your web servers to check the `x-forwarded-proto` value and issue the appropriate redirect. – Mark B Apr 30 '17 at 19:00
  • Thanks @MarkB, is there some documentation for how best to do this for Tomcat? – theyuv May 01 '17 at 05:47
  • 1
    Here lies the answer to your struggle: https://stackoverflow.com/a/51540255/9180019 – the0ffh Aug 29 '18 at 19:56

2 Answers2

0

I found this while I was looking for a solution for the same problem. This has code sample for Apache, Nginx and IIS.

<VirtualHost *:80>

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

</VirtualHost>

https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/

Laurence
  • 7,633
  • 21
  • 78
  • 129
0

You have to configure the following to conf/server.xml

<Connector
port="8080"
protocol="HTTP/1.1"
scheme="https"
secure="true"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />

Please ensure scheme="https" is added so that no http request is being made.

Along with above add the default HSTS filters available in the conf/web.xml as defined in the tomcat documentation.

Please refer here for more info: Tomcat behind LB

vishnun
  • 104
  • 5