Best IT Recipes

How to get Elastic Beanstalk nginx-backed proxy server to automatically redirect from HTTP to HTTPS?

I have a site with Node.js that I run on Amazon Elastic Beanstalk.

My Node.js app is listening on port 8080, and I am using the nginx load balancing configuration with my EB application, listening on port 80 and 443 for HTTP and HTTPS.

However, I only want to accept traffic in my application, which appeared via HTTPS.

I could install something in the application to handle this, but I'm interested in forcing load balancing to redirect all HTTP requests to my site using HTTPS.

+58
amazon-web-services amazon-ec2 elastic-beanstalk nginx
Jun 19 '14 at 1:21
source share
8 answers

After several false starts with ideas received from Amazon, they got support at the end. How do you do this, you configure the environment to respond to both ports 80 and 443. Then create a folder in the main folder of the Node.js application named .ebextensions , and you put a file named 00_nginx_https_rw.config in there, with this text as the content :

 files: "/tmp/45_nginx_https_rw.sh": owner: root group: root mode: "000644" content: | #! /bin/bash CONFIGURED=`grep -c "return 301 https" /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf` if [ $CONFIGURED = 0 ] then sed -i '/listen 8080;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf logger -t nginx_rw "https rewrite rules added" exit 0 else logger -t nginx_rw "https rewrite rules already set" exit 0 fi container_commands: 00_appdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact 01_configdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact 02_rewrite_hook_perms: command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh 03_rewrite_hook_ownership: command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

The Amazon support team explained: this config creates a deployment hook that will add rewrite rules to /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf.

(They used to offer me .config to copy individual files to /etc/nginx/conf.d, but they either had no effect, or worse, seemed to overwrite or take precedence over the default nginx configuration, for some reason.)

If you ever want to undo this, that is, remove the hooks, you need to delete this ebextension and issue a command to delete the files that it creates. You can do this manually or through the ebextensions commands that you temporarily installed:

 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

I have not tried this, but probably something like this will work to remove them and undo this change:

 container_commands: 00_undochange: command: rm /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh 01_undochange: command: rm /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

Hope this can help someone else in the future.

+80
Jun 19 '14 at 1:21
source

The accepted answer no longer worked for me. The default port was different. The location of the configuration file has also changed. I am building a Ruby On Rails application with Puma.

I talked with paid support, we figured out by simply executing the commands manually in the running instance. Then I was able to figure out the solution below. Just logging in and restarting nginx, it worked.

 files: "/tmp/45_nginx_https_rw.sh": owner: root group: root mode: "000644" content: | #! /bin/bash CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf` if [ $CONFIGURED = 0 ] then sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf logger -t nginx_rw "https rewrite rules added" exit 0 else logger -t nginx_rw "https rewrite rules already set" exit 0 fi container_commands: 00_appdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact 01_configdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact 02_rewrite_hook_perms: command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh 03_rewrite_hook_ownership: command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

Notice how I changed the port number and location of the configuration file.

+19
Jan 05 '16 at 19:35
source

You can handle the redirection through your Node.js. application.

Amazon sends an X-Forwarded-Proto header, which is http when the client is insecurely connected.

The following middleware must be inserted immediately after Express initialized and before routes are determined to automatically redirect the client to the corresponding HTTPS endpoint:

 // Redirect to HTTPS app.use(function (req, res, next) { // Insecure request? if (req.get('x-forwarded-proto') == 'http') { // Redirect to https:// return res.redirect('https://' + req.get('host') + req.url); } next(); });
+9
Mar 21 '15 at 10:56
source

I managed to get this working with a slightly simpler solution.

Note that this is an elastic beanstalk, a deployed SINGLE instance, not a load balancer.

This was my ebextension, which I added.

 files: "/etc/nginx/conf.d/000_my_config.conf": mode: "000755" owner: root owner: root content: | server { listen 8080; return 301 https://$host$request_uri; }
+6
Feb 02 '15 at 4:24
source

I am running the Ruby2 Puma environment on AWS Elastic Beanstalk, which may have a slightly different configuration than the above. In my environment, I needed to use listen 80 instead of listen 8080.

sslredirect.config based on elloworld111 answer :

 files: "/etc/nginx/conf.d/000_my_config.conf": mode: "000755" owner: root owner: root content: | server { listen 80; return 301 https://$host$request_uri; }
+5
Mar 18 '15 at 15:29
source

I work with Elastic Beanstalk and Docker, so I took a slightly different path to make things work for me, but I am very inspired by the accepted answer. This script introduces the necessary configuration in / etc / nginx / sites -available / elasticbeanstalk-nginx-docker-proxy.conf. (If someone has a more elegant solution, I would like to see it)

This script also allows you to test the health of Beanstalk on my healthcheck endpoint (in my case api / healthcheck). It is better to allow the LoadBalancer to get into the application, and not end in Nginx.

 files: "/tmp/45_nginx_https_rw.sh": owner: root group: root mode: "000755" content: | #! /bin/bash CONFIGURED=`grep -c "return 301 https" /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf` if [ $CONFIGURED = 0 ] then sed -i "/access.log;/a \ \ \ \ \ \ \ \ location /api/health-check { proxy_pass http://docker; }" /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf sed -i "/proxy_add_x_forwarded_for;/a \ \ \ \ \ \ \ \ \ \ \ \ if (\$http_x_forwarded_proto != 'https') { return 301 https://\$host\$request_uri; }" /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf logger -t nginx_rw "https rewrite rules added" exit 0 else logger -t nginx_rw "https rewrite rules already set" exit 0 fi container_commands: 00_run_script: command: /tmp/45_nginx_https_rw.sh
+4
Feb 20 '17 at 21:51
source

I was able to make it work differently. I changed my load balancer to redirect port 80 to port 8082 and changed the firewall rules (included in the instance, outbound on the firewall) to allow this. This file is then added to .ebextensions:

 files: "/etc/nginx/conf.d/50-atd-hotel-http-redirect.conf": mode: "000644" owner: root group: root content: | server { listen 8082; return 301 --WHATEVER DESTINATION YOU WANT--; }
+2
Feb 23 '17 at 19:40
source

The accepted answer did not work for me. After many attempts (and hours of searching the Internet), I found what worked for me. I also have a site on Node.js that I use on Elastic Beanstalk.

I used the script here: https://adamjstevenson.com/tutorials/2017/02/02/configuring-and-forcing-https-for-aws-elastic-beanstalk.html

The only modification I did was turn off

 /opt/elasticbeanstalk/support/conf/webapp_healthd.conf

by

 /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf

so this gives:

 files: "/tmp/45_nginx_https_rw.sh": owner: root group: root mode: "000644" content: | #! /bin/bash CONFIGURED='grep -c "return 301 https" /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf' if [ $CONFIGURED = 0 ] then sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf logger -t nginx_rw "https rewrite rules added" exit 0 else logger -t nginx_rw "https rewrite rules already set" exit 0 fi container_commands: 00_appdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact 01_configdeploy_rewrite_hook: command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact 02_rewrite_hook_perms: command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh 03_rewrite_hook_ownership: command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

After eb deploy just restart nginx sudo service nginx restart and you're done.

0
Aug 21 '19 at 23:26
source


More articles:


All Articles