Fork me on GitHub
#aws
<
2022-07-06
>
Martynas M16:07:25

Hey. I've came accross this funny error that makes my webpage redirect to HTTPS when it's already on HTTPS. It does that because after the balancer routes the requests it uses HTTP in the internal AWS network. So that makes my server think that it's on HTTP 🥳 and it responds with 301 to HTTPS 💥. Is there a way to fix it by sending HTTPS traffic to the service and not HTTP? Basically my question is: How do I prevent at least the HTTP MITM inside AWS?

jumar16:07:32

You should be able to configure the load balancer listener to use https if you really want to do that. But then you need to manage TLS certificates in multiple places?

Martynas M16:07:13

I already configured the outside one to provide a certificate. Web -> HTTPS -> LB -> HTTP -> Back-end But that HTTP layer is something that I don't know whether it's good :thinking_face: Is it worth doing? I'm not sure

jumar17:07:54

We use HTTP inside and I think it's fine. But your requirements might be different. Anyway, you should be able to configure the target group to use HTTPS: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html

Leaf Garland05:07:20

We fixed what seems like the same thing recently (redirects go to http by default because we terminate https further downstream). We are using nginx, and used proxy_redirect http:// https://; to get nginx to change the location header in redirects to use https.

Martynas M05:07:05

But even if you use nginx to receive encrypted traffic then part of your traffic is still unencrypted inside of AWS network. So yes, you simply move the problem further but it's still unencrypted when it reaches the back-end :thinking_face:

Leaf Garland05:07:33

Perhaps we didn't have the same issue. In our case it's all HTTP inside the load balancer. When our clojure app redirects, eg. 302 location /somepage the location header would end up with a value like http://example.com/somepage but it should have been https://example.com/somepage. This added an extra HTTP hop into our redirects. Apologies for the distraction if this is not similar to what you're dealing with.

jumar05:07:19

I think you are talking about different things. The issue that Leaf is mentioning is relatively common. It's a mismatch between the app who thinks there's only "HTTP world " while the client behind the load balancer thinks there's only "HTTPS world". One common culprit of this is "Absolute redirects" - see https://github.com/ring-clojure/ring-defaults/pull/40 Martynas seem to have an app that's aware of HTTPS (is actually forcing HTTPS)

Leaf Garland05:07:46

@U06BE1L6T thanks for clarifying, and many thanks for pointing out that issue - could be helpful.

jumar05:07:50

@U028ART884X I think you just need to decide whether you need HTTPS inside VPC - if so, then configure the load balancer to use HTTPS, that's it.

Martynas M05:07:43

I already configured it back to HTTP because it's simpler. But I'm not yet sure how absolute redirects work and I do remember that I enabled them. So yes, probably that could be a problem.

jumar06:07:34

I submitted a patch that changed ring-defaults so it shouldn't force it by default. We also had issues with friend library - I think it's linked in the PR. Another thing is that some servers like Jetty (used to?) force absolute redirects.