aws

Martynas Maciulevičius 2022-07-06T16:20:25.788989Z

Hey. I've came accross this funny error that makes my webpage redirect to HTTPS when it's already on HTTPS. It does that because after the balancer routes the requests it uses HTTP in the internal AWS network. So that makes my server think that it's on HTTP 🄳 and it responds with 301 to HTTPS šŸ’„. Is there a way to fix it by sending HTTPS traffic to the service and not HTTP? Basically my question is: How do I prevent at least the HTTP MITM inside AWS?

jumar 2022-07-06T16:55:32.845099Z

You should be able to configure the load balancer listener to use https if you really want to do that. But then you need to manage TLS certificates in multiple places?

Martynas Maciulevičius 2022-07-06T16:58:13.538439Z

I already configured the outside one to provide a certificate. Web -> HTTPS -> LB -> HTTP -> Back-end But that HTTP layer is something that I don't know whether it's good šŸ¤” Is it worth doing? I'm not sure

jumar 2022-07-06T17:00:54.218929Z

We use HTTP inside and I think it's fine. But your requirements might be different. Anyway, you should be able to configure the target group to use HTTPS: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html

Leaf Garland 2022-07-07T05:12:20.292969Z

We fixed what seems like the same thing recently (redirects go to http by default because we terminate https further downstream). We are using nginx, and used proxy_redirect http:// https://; to get nginx to change the location header in redirects to use https.

Martynas Maciulevičius 2022-07-07T05:43:05.619699Z

But even if you use nginx to receive encrypted traffic then part of your traffic is still unencrypted inside of AWS network. So yes, you simply move the problem further but it's still unencrypted when it reaches the back-end šŸ¤”

Leaf Garland 2022-07-07T05:49:33.248719Z

Perhaps we didn't have the same issue. In our case it's all HTTP inside the load balancer. When our clojure app redirects, eg. 302 location /somepage the location header would end up with a value like http://example.com/somepage but it should have been https://example.com/somepage. This added an extra HTTP hop into our redirects. Apologies for the distraction if this is not similar to what you're dealing with.

jumar 2022-07-07T05:51:19.826449Z

I think you are talking about different things. The issue that Leaf is mentioning is relatively common. It's a mismatch between the app who thinks there's only "HTTP world " while the client behind the load balancer thinks there's only "HTTPS world". One common culprit of this is "Absolute redirects" - see https://github.com/ring-clojure/ring-defaults/pull/40 Martynas seem to have an app that's aware of HTTPS (is actually forcing HTTPS)

Leaf Garland 2022-07-07T05:52:46.925569Z

@jumar thanks for clarifying, and many thanks for pointing out that issue - could be helpful.

jumar 2022-07-07T05:52:50.577569Z

@invertisment_clojuria I think you just need to decide whether you need HTTPS inside VPC - if so, then configure the load balancer to use HTTPS, that's it.

Martynas Maciulevičius 2022-07-07T05:58:43.661469Z

I already configured it back to HTTP because it's simpler. But I'm not yet sure how absolute redirects work and I do remember that I enabled them. So yes, probably that could be a problem.

jumar 2022-07-07T06:00:34.795279Z

I submitted a patch that changed ring-defaults so it shouldn't force it by default. We also had issues with friend library - I think it's linked in the PR. Another thing is that some servers like Jetty (used to?) force absolute redirects.