HTTP to HTTPS Redirects for AWS ELB and Tomcat7 server

Question

I have one subdomain(test.XXXX.com) pointed to AWS ELB that accepts HTTP(80) and HTTPS(443) requests. I have configured SSL certificated for for 443 for HTTPS connection. I have tried doing HTTP to HTTPS redirects at Tomcat level by changing web.xml and server.xml as mentioned in

http://www.journaldev.com/160/steps-to-configure-ssl-on-tomcat-and-setup-auto-redirect-from-http-to-https

But the problem is that I need one endpoint for AWS ELB health check that does not do the HTTP to HTTPS redirect. I have tried different solution but no success.I also tried

   <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected Context</web-resource-name>
                        <url-pattern>/*</url-pattern>
                </web-resource-collection>

                <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
    </security-constraint>
   <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected Context</web-resource-name>
                        <url-pattern>/XXXXX/XXXXXX.html</url-pattern>
                </web-resource-collection>

    </security-constraint>

And my server server.xml has following configuration as

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />


<Connector port="443" maxThreads="2000" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/XXXXX/XXXXX.keystore" 
               keystorePass="XXXXX" clientAuth="false" keyAlias="XXXX" 
               sslProtocol="TLS" protocol="org.apache.coyote.http11.Http11Protocol"/>

But when try to access it through browser it gives exception as ERR_TOO_MANY_REDIRECTS.

For the health check did you tired using a specific route which is excluded from redirect? — Ashan, Aug 19 '17 at 11:54
@Ashan Yes..That was excluded from HTTP to HTTPS redirect and working fine.But other pages was not reachable due to ERR_TOO_MANY_REDIRECTS — MasterCode, Aug 19 '17 at 12:34
If you have configured Tomcat with SSL certificate, then on your load balancer you can use `HTTPS 443 -> HTTPS 443` — Dusan Bajic, Aug 19 '17 at 13:32
hi is it necessary for you to do the HTTP-> HTTPS redirection on the tomcat server only? — Avinragh, Aug 24 '17 at 08:11
@Mastercode: I mean is it necessary for you to do the redirects at tomcat level. If not, I think you can solve this problem — Avinragh, Aug 24 '17 at 08:38
@Avinragh No,It is not necessary to that at Tomcat Level,Is their any other way without using Ngnix or HAProxy — MasterCode, Aug 24 '17 at 08:47

score 3 · Accepted Answer · answered Aug 24 '17 at 09:25

I have a solution to your problem but it does not concern tomcat. You could use a Cloudfront distribution.
Let me underline a few key configs for achieving this through a Cloudfront Distribution:

Choose a Web Distribution
Select your ELB in the dropdown for Origin Domain Name. origin Path will be blank and Origin Id is just an identifier of your choice.
Now under Default Cache Behavior Settings please choose Redirect HTTP to HTTPS for the Viewer Protocol Policy. Please go through all other settings carefully and select whats appropriate for you. They should be fairly simple and straightforward. (Please enter your domain name- test.xxxx.com for alternate domain names)
Click on create distribution.
Once the distribution is created, go to the distribiution and go to the behaviours tab.
here you ll see that there is already a default entry. Go to Create Behaviour, type in your path pattern. so if your healthcheck url is test.xxxx.com/healthcheck then your path pattern becomes /healthcheck.
Please choose HTTP and HTTPS for the Viewer Protocol Policy.
Finally, in your route53, please add a record for your domain and point it to the cloudfront distribution that you just created.

So effectively what this does is, it takes the redirection off of tomcat and is handled at the cloudfront level. All requests by default are redirected to HTTPS while just for the /healthcheck path HTTP requests are allowed. Redirection need not be handled at lower levels. Please let me know if this works for you. Also, please note that route53 and cloudfront changes take time to propogate. so please wait sufficiently enough for a successful test

I was looking for something different that cloudfront,I appreciate your efforts — MasterCode, Aug 29 '17 at 05:05

score 1 · Answer 2 · answered Jul 31 '18 at 09:30

Now AWS ELB supports two new actions: redirect and fixed-response. You can configure these actions as part of the content-based routing rules, enabling you to offload this functionality to the load balancer

With redirect actions, the load balancer can redirect incoming requests from one URL to another URL. This includes the capability to redirect HTTP requests to HTTPS requests.

score 0 · Answer 3 · answered Aug 25 '17 at 08:21

Since you have HTTP to HTTPS redirection working in Tomcat, the easiest solution for you would be to treat redirects as a valid response.

You can't do this with the classic Elastic Load Balancer, but you can with the new Application Load Balancer.

I suggest you switch your load balancer to the new ALB and configure the health check to accept 200-399 as healthy response codes.

You'll also get other benefits by switching to the new Application Load Balancer like that it's cheaper per hour and can route to different instance groups based on path and hostname.

score 0 · Answer 4 · answered Aug 26 '17 at 20:51

0

The ELB heal check can be configured to use an https endpoint, check the option: ping protocol http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html

Ping Protocol

The protocol to use to connect with the instance.

Valid values: TCP, HTTP, HTTPS, and SSL

Console default: HTTP

CLI/API default: TCP

You could also just try TCP in either port 80/443 and this will ignore at all the redirects.

answered Aug 26 '17 at 20:51

nbari

25,603
10
76
131

If you look at the screenshot they are using the ELB for HTTPS - you can see the first few characters of the cert ID - so using HTTPS for the health check won't work. Using TCP for the health check will work though. – Raniz Aug 28 '17 at 06:59

HTTP to HTTPS Redirects for AWS ELB and Tomcat7 server

4 Answers4