0

I have a Spring Boot app running on Beanstalk and I recently want to make my entire site secured by HTTPS, so I would like to redirect all HTTP traffic to HTTPS by default.

I have already installed my SSL Cert with Amazon Certificate Manager and it is used by my Amazon ELB load balancer, so the HTTPS will terminate there.

Currently, the load balancer is configured with ports mapping like this: enter image description here

I also noticed that by default there is also an nginx on the load balancer that listens on port 80( instance port ) and then forwards it to my Spring Boot app finally.

So I tried to do the redirection by putting this conf file at .ebextensions/nginx/conf.d/elasticbeanstalk/00_nginx_https_rw.conf and the .ebextensions folder sits locally under src/main/resources in my Spring Boot repo :

files:
  "/tmp/45_nginx_https_rw.sh":
  owner: root
  group: root
  mode: "000644"
  content: |
  #! /bin/bash

  CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

  if [ $CONFIGURED = 0 ]
    then
      sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
      logger -t nginx_rw "https rewrite rules added"
      exit 0
    else
      logger -t nginx_rw "https rewrite rules already set"
      exit 0
  fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  04_reload_nginx:
    command: "sudo service nginx reload"

I deployed my Spring Boot app with that conf file and also did "Restart App Server(s)" in Beanstalk, but it still will not redirect from HTTP to HTTPS

I also tried this for my conf file as well and it also does not work:

listen 80;

# ELB stores the protocol used between the client
# and the load balancer in the X-Forwarded-Proto request header.
# Check for 'https' and redirect if not
if ($http_x_forwarded_proto != 'https') {
   rewrite ^ https://$host$request_uri? permanent;
}


server_name mothersquad.com www.mothersquad.com

This is where I put my conf file: enter image description here

These is my Nginx access.log when I try to go to the HTTP version of my site:

172.31.42.155 - - [28/Sep/2017:07:38:53 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:03 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:13 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET / HTTP/1.1" 200 93279 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing.css HTTP/1.1" 200 13132 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing_bootstrap.css HTTP/1.1" 200 134640 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /js/landing.js HTTP/1.1" 200 5627 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/logo.png HTTP/1.1" 200 6830 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery.png HTTP/1.1" 200 23045 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-4.jpg HTTP/1.1" 200 17441 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-1.jpg HTTP/1.1" 200 24258 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-2.jpg HTTP/1.1" 200 20504 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-5.jpg HTTP/1.1" 200 18711 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-3.jpg HTTP/1.1" 200 20686 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/virtualgroup.jpg HTTP/1.1" 200 46406 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-6.jpg HTTP/1.1" 200 21364 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-7.jpg HTTP/1.1" 200 18472 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery-red.png HTTP/1.1" 200 2500 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg1.jpg HTTP/1.1" 200 48181 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg2.jpg HTTP/1.1" 200 116554 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"

I did not see any errors in errors.log

What else did I miss? Thanks

user1805458
  • 1,081
  • 3
  • 9
  • 21

1 Answers1

0

If you've installed your certificate onto the load balancer, I recommend terminating SSL at the LB (assuming that your VPC is secure). Try setting the parameter server.use-forward-headers in your application properties to true. This will cause your boot app to honor the X-Forwarded-Proto and X-Forward-For headers.

Once this is complete, remove the port 80 listener on your LB so your app can only be accessed over 443.

lane.maxwell
  • 5,002
  • 1
  • 20
  • 30
  • Hi Lane , thanks, so if I make this server.use-forward-headers change, that means I should revert all my .enextensions nginx changes? Just to make sure I understand this correctly, by the time I only keep port 443 on and not 80, all http calls will automatically redirect to https? – user1805458 Sep 28 '17 at 23:52
  • Keep the extensions and port if you want the redirect. Also note that you'll have to set that property in your properties file or whatever external property source you have. You can't set it in the EBS properties due to the hyphens. – lane.maxwell Sep 28 '17 at 23:55
  • The problem though is that my nginx conf don't seem to be doing the http redirect yet, and I would like to solve this problem first. Is there something incorrect in my conf file? – user1805458 Sep 28 '17 at 23:58
  • I don't believe the ebextensions are getting picked up by EBS based on where they're located in the jar. The .ebextensions folder needs to be located at the root of the jar, so unless you're moving them during assembly, they'll be under BOOT-INF/classes. – lane.maxwell Sep 29 '17 at 00:05
  • Gotcha, that's weird, because I read online that the .ebextensions folder can sit under src/main/resources and gradle build will pack it properly into the root of the jar. Where should I move the .ebextensions folder then? – user1805458 Sep 29 '17 at 00:08
  • Open your final jar and see where they're located. We use maven so the packaging may be different. If they're not at the root, you'll have to utilize a plugin to move them. See this answer for how this was accomplished with maven (should be similar with gradle) https://stackoverflow.com/a/44715929/888580 – lane.maxwell Sep 29 '17 at 00:11
  • I see, k, I will try to find the gradle version of that maven task. If I put the ebextensions in the root , is that one level above src/ ? – user1805458 Sep 29 '17 at 00:20
  • When you explode your jar you should see the .ebextensions folder at the root – lane.maxwell Sep 29 '17 at 00:39
  • Thanks, I am still trying to figure out how to copy the .ebextensions folder to the root directory of the jar file using Gradle – user1805458 Sep 29 '17 at 05:06