Skip to main content

How to force redirect HTTP to HTTPS in Amazon Elastic Beanstalk

After picking up bits and pieces over the Internet, here I have the complete guide for my particular setup. My Amazon AWS Elastic Beanstalk (ELB or EBS) is as follows:
  • 64bit Amazon Linux 2016.03 v2.1.1 running Tomcat 8 Java 8
  • Java/JSP application on Apache Tomcat
  • Maven Build

How to get it done:

First, configure your EBS instance:
  1. Go to Configuration and click the gear on Load Balancing.
  2. Under Load Balancer, set the following options:
    1. Listener port: 80
    2. Protocol: HTTP
    3. Secure listener port: 443
    4. Protocol: HTTPS
    5. SSL certificate ID: Choose the cert ID that goes with your server. If you don't have one, you can use Certificate Manager to create one.
  3. Apply and save this configuration. Let the server health be OK.
  4. Test it by accessing your application web page through both HTTP and HTTPS:
    1. HTTP should load the page unsecurely.
    2. HTTPS should load the page securely.
    3. No port number should be added after the domain name in either case.
Then, add a configuration file in a folder called .ebextensions in your project. When you do Maven Build, this folder should go into the root of the WAR file. (If you package multiple WAR files into a ZIP file, the folder should be included at the root of the ZIP file itself, not any of the WAR files).
  1. To correctly add this folder to the root of the WAR file, in my project, I created this folder in src/main/webapp folder, alongside resources and WEB-INF folders.
    1. Note: If you're on Windows, you will need to use Command Prompt or Bash emulator to create the folder. This is because Windows Explorer doesn't allow creating folders starting with a period.
  2. Inside the folder, create a file with any name, but with the extension .config. So it could be ssl_rewrite.config which is a nice name to remember what this is for.
  3. Edit the file and put the following as its contents:
files:
  "/etc/httpd/conf.d/00_ssl_rewrite.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      <VirtualHost *:80>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>
      
        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on
      
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
      
        RewriteEngine on
        RewriteCond %{HTTP:X-Forwarded-Proto} =http
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
      
      </VirtualHost>

services:
  sysvinit:
    httpd:
      files:
        - "/etc/httpd/conf.d/00_ssl_rewrite.conf"

NOTES:
  • The files section creates a conf file in the given path, with the given parameters.
  • The content from <VirtualHost *:80> to </VirtualHost> has been copied from an instance of the environment, specifically from the file /etc/httpd/conf.d/elasticbeanstalk.conf.
  • That copied content has been modified to add the three Rewrite* lines just before the closing </VirtualHost> tag.
  • If your elasticbeanstalk.conf differs, you should use that instead, and just add the three Rewrite* lines. Remember to indent the content properly as the YAML format requires indentation.
  • You could use the name elasticbeanstalk.conf instead of 00_ssl_rewrite.conf but I would prefer to use the latter to:
    • Prevent overwrite of the default elasticbeanstalk.conf installed by EBS.
    • Ensure 00_ssl_rewrite.conf always takes precedence (conf files are loaded alphabetically and the first VirtualHost takes precedence).
  • The services section restarts httpd after writing the file, thus ensuring that the configuration is loaded. Without it, httpd would need to be manually reloaded unless the instance is dropped and recreated.
Finally, do a Maven build and deploy:
  1. Execute the Maven Build and get the WAR file as usual.
  2. Open the WAR file in an archiver like 7-Zip to check and make sure the .ebextensions folder is at the root and has the config file.
  3. In ELB, upload and deploy the WAR file to your environment. Let the server health be OK.
  4. Test it by accessing your application web page through both HTTP and HTTPS:
    1. HTTP should give a 301 redirect to HTTPS. (You can see this in Inpector's Network view.)
    2. HTTPS should load the page securely.
    3. No port number should be added after the domain name in either case.
That's it! It sounds so simple in hindsight, but I had to try a lot of misleading and incomplete solutions strewn over the Internet before arriving at this exact solution. I hope this helps you cut to the chase a lot faster than I could.

Comments

Popular posts from this blog

Disable auto save in JetBrains IDE software (IntelliJ IDEA, PyCharm, PhpStorm)

JetBrains provides the following IDE software:
IntelliJ IDEAPhpStormPyCharmRubyMineWebStormAppCodeCLion Google also provides Android Studio which is powered by the IntelliJ platform.

If you come from a different IDE such as Eclipse, you will be unpleasantly surprised to find that JetBrains-branded IDEs automatically save everything the moment you look away. The proponents argue that as you work on your project, you should not have to worry about saving files. But to others, this auto-save behavior which is enabled by default is a curse that catches them by surprise, and a shocking departure from the workflow they are very much used to.

You can change the behavior by altering some settings.

Stop having to click Unblock on every downloaded file

CAUTION: The blocking of downloaded files in Windows is a security and safety feature to help prevent your computer from being infected by viruses and other malware. Only disable this feature if you know what you're doing.

I had been plagued by this annoyance since the days of Windows Vista. Any downloaded file, no matter what browser I use, gets tagged as "blocked" by Windows. You can open downloaded documents even though they are blocked, but when you run a downloaded application (such as a setup file) you're presented with a "Security Warning" before you're allowed to run it. It's worse if you extract a downloaded ZIP file with the Windows' built-in ZIP management. Every extracted file is blocked by default.

Being a geek who finds unnecessary "security" prompts annoying, the first thing I do in Windows is to disable the User Account Control (UAC). But I couldn't quite figure out how to disable blocking of downloaded files until …

Setting up a local Oracle XE database and importing DMP file

The experience of setting up a local Oracle Express Edition database is not a straight-forward as it should be. The following is supposed to outline what could go wrong and how to go about it the right way. It also includes importing a DMP file (a dump) from another system.
First of all, download the installer from Oracle website. You will need to sign-in to download - the account creation is free. Be sure to choose the correct bit as per your computer (x64 or x86).Extract the download and install XE by running DISK1\setup.exe (and feel nostalgic of the floppy disk era). During installation, you will need to choose a new password. There will also be some details displayed after you enter the new password, such as folders and ports.Be sure to save both password and details in a text file for future reference.I saved it as C:\oraclexe\details.txt.Save password only if it's generic and you are likely to forget. The installation will take a while, but usually, no restart is necessary.O…