2

I have a working application on Elastic Beanstalk and would like to make it accessible ONLY through HTTPS. Because I would like for the application to scale automatically, I need to configure HTTPS at the Load Balancer level and not the single EC2 instance level. I am following this tutorial on how to configure HTTPS with Elastic Beanstalk. However, when I finish the tutorial, my domain never loads (on http or https) and I get a session timeout in the browser.

Here's what I have so far:

  • Working application on Elastic Beanstalk. Specifics: Java EE app running on a pre-configured Glassfish Docker container.
  • A valid domain from Route 53 that is set up to my Elastic Beanstalk application.
  • A signed certificate from GoDaddy, that was created and uploaded to IAM according to the tutorial link I provided.

Now, this is the part where I believe the problems arise. Step 4 of the tutorial tells me that I have to update my Security Group (very ambiguous as to what one). So, I update the Load Balancer Security Group like so (remove http requests and only support https):

Security Group From AWS Admin Console

Then, in the Elastic Beanstalk Environment Configuration Settings, I set it up like so:

Elastic Beanstalk Configuration

(If I turn the listener port off then the domain never loads on either http or https). With these settings, if I go to my domain (ex: myapp.com) it'll continue loading until the browser displays a timeout exception. If I specify the protocol (ex: https://myapp.com) it'll continue loading until the browser displays a timeout exception. If I go to a specific link with the HTTPS protocol specified (ex: https://myapp.com/login.xhtml) then it will load (Note: app works fine before attempting to apply SSL; welcome page is set up with server). What am I doing wrong?

Question summed up: How do I configure my Elastic Beanstalk application to work ONLY over HTTPS?

Desired result: User types app domain in their address bar (ex: myapp.com) and it brings them to my application secured with HTTPS (ex: https://myapp.com).

chRyNaN
  • 123
  • 4

1 Answers1

3

You don't do this by disabling http access.

You do this in your instance's web server. When a request comes in without the X-Forwarded-Proto: https header that ELB adds when the incoming request came in over https, your web servers need to send a HTTP/1.1 301 Moved Permanently redirect to the browser, specifying Location: https://... in the response.

There is no way for a new visitor's browser to automagically know it should retry with https unless your application tells it to.

There are alternative, more advanced ways to accomplish this but they still do not involve ELB (elastic load balancer) or EB (elastic beanstalk) or security group configuration.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • I literally just came to this conclusion and updated my Servlet Filter to act accordingly. Thanks for the response! – chRyNaN Aug 08 '15 at 23:11
  • Having a similar issue but this answer doesn't make sense to me. What's the solution? – Peter Kaminski Jun 25 '16 at 16:07
  • @PeterKaminski 1. Allow HTTP requests by leaving port 80 open; 2. Configure your web server or application framework to expect the `X-Forwarded-Proto` request header to contain the value `https`, which ELB adds to each request; 3. If this is not present, or contains `http` instead (testing either condition should be fine), your server should respond with a 301 redirect to the HTTPS URL for the site. How exactly these steps are accomplished depends on the components in your stack, running on the instance(s). These are not things you configure in ELB itself. – Michael - sqlbot Jun 25 '16 at 16:53