7

I use an Application Load Balancer in AWS as an API Gateway: for forwarding requests to different applications running in AWS. I have configured it with both support for HTTP and HTTPS. A HTTPS listener contains all logical rules for requests forwarding. And a HTTP listener is configured with a single rule: to redirect all traffic to the HTTPS listener ({host}:443/#{path}?#{query}) and to return 301.

HTTPS works perfectly. And HTTP works fine for GET requests. But I found that POST requests to HTTP are converted to GET requests when being redirected to HTTPS, which obviously ends up with 404.

I found online that the problem is in 301 status (https://rtfm.co.ua/en/http-redirects-post-and-get-requests-and-lost-data/#The_root_cause_3xx_redirects_and_HTTP_RFC). But unfortunately there is no option in AWS ALB rules to redirect requests and to return 307 instead of 301.

So does anyone know how I can fix this issue? Thank you!

ded.diman
  • 165
  • 2
  • 12
  • What is your app server? – Rodrigo Murillo Jan 13 '20 at 17:25
  • 1
    Can you not fix the application so that an HTTP POST never occurs? It is somewhat pointless to redirect an HTTP POST request to HTTPS, because by the time the redirect occurs, the headers and post body have already been sent across the Internet unencrypted. That's somewhat like closing the barn door after the horses have already escaped. – Michael - sqlbot Jan 14 '20 at 00:09
  • @Rodrigo M, we have a few apps. One is on Rails and uses NGINX, and a few other are in ASP.NET Core and use Kestrel. – ded.diman Jan 14 '20 at 22:36
  • @Michael, I guess you mean client applications, right? Yes, it's the right way to go. But unfortunately we can't force all existing users to update their apps over night. – ded.diman Jan 14 '20 at 22:50
  • @ded.diman as long as the post bodies are within the [1 MB limit](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html) you could use an ALB/Lambda integration to do what Rodrigo is suggesting but without requiring the applications to handle it, themselves... but I admit I am still a bit stuck on the question of how you got into a situation where this was a problem. Redirecting POSTs from HTTP to HTTPS *shouldn't* work because the client should already be speaking HTTPS when they send a POST. – Michael - sqlbot Jan 15 '20 at 14:25
  • @Michael I wish I was an expert in http/https to explain how this could happen! But it's what I am experiencing: a client app sends a POST request to http. It goes through ALB. And in logs of the backend application I see that eventually it received that query as GET. And then the client receives 404, fairly clear why. As far as I understand an explanation by the link in my initial question, it's a behavior of clients, of user agents: when they receive 301 they CAN change the request's type to GET before sending it to https. – ded.diman Jan 15 '20 at 21:11

2 Answers2

1

We have a similar setup. What we do is let the HTTP request pass through to the application server There the application detects the HTTP protocol and does a software-based 301 redirect as a POST to HTTPS. This moves the specialized protocol handling from the ALB to the application itself. Works great. Any application server would be easy to set up in this way.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • Thanks for the idea @Rodrigo M. ALB in my case works also as an API gateway, so it redirects requests to different backends according to a set of rules. I can allow HTTP to come through to one of the applications which will do what you suggested and then a request through HTTPS will be forwarded to a correct application. It's just not very transparent way which makes one of the applications to be a kind of API gateway's implicit helper. But I will think about it as a potential option if I don't find any better solution. – ded.diman Jan 14 '20 at 23:02
  • what's the point of redirecting post request to https if it's already been sent unencrypted to the application server? see Michael's comment under OP's question – mangusta Mar 08 '23 at 08:49
0

I also faced the same issue when the http to https redirection is enabled. Just disable automatic https redirection and directly hit the https route. Could not find any alternate solution other than this.

Jinu Joseph Daniel
  • 5,864
  • 15
  • 60
  • 90