12

On Amazon's "Classic Load Balancer" you could create a rule to forward HTTPS connections to HTTP, simplifying SSL and server configuration by uploading the certificate to the load balancer and letting the server only handle http.

I'm now trying to replicate the same setup with the Amazon's newer generation "Application Load Balancer", but the new rule system doesn't seem to allow this.

I can create a rule to listen on HTTPS/443 and redirect, but it only allows me to redirect to HTTPS or #{protocol}://#{host}:80/#{path}?#{query}, which still means my server has to support HTTPS, which I want to avoid, since it means every server still has to contain the SSL certificate and have a site configuration for port 443.

Is this not supported in the new ELB generation, or is there some other way to configure it?

tijko
  • 7,599
  • 11
  • 44
  • 64
Cerin
  • 60,957
  • 96
  • 316
  • 522

2 Answers2

9

You seem to be confusing two unrelated things.

Redirects are for telling the browser to re-send its request to a different destination.

On ALB, all you need to do to get TLS offloading (which is what you are describing) is to create a target group pointing to port 80 on the instance(s), and then set the default rule on the HTTPS listener to send traffic to that target group.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    i have a https listener on the load balancer and opened port 80 on target group but when i go to the load balancer endpoint, it has connection refused to the target group – Wayneio Aug 06 '21 at 08:49
  • @Wayneio have you found a way? – UMR Feb 08 '23 at 15:04
4

According to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html:

You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer so that your applications can focus on their business logic. If the listener protocol is HTTPS, you must deploy at least one SSL server certificate on the listener. For more information, see Create an HTTPS listener for your Application Load Balancer.

What you need to do is set up an HTTPS listener, an AWS IAM server certificate to attach to the listener, and an HTTP target group. You can then attach instances/servers that listen in HTTP to that target group. As Michael said, this is not a "redirect" but a "forward" rule to your target group.

gkhnavarro
  • 446
  • 2
  • 14