You should be able to configure the load balancer listener to use https if you really want to do that. But then you need to manage TLS certificates in multiple places?

I already configured the outside one to provide a certificate. Web -> HTTPS -> LB -> HTTP -> Back-end But that HTTP layer is something that I don't know whether it's good :thinking_face: Is it worth doing? I'm not sure

We use HTTP inside and I think it's fine. But your requirements might be different. Anyway, you should be able to configure the target group to use HTTPS: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html

We fixed what seems like the same thing recently (redirects go to http by default because we terminate https further downstream). We are using nginx, and used proxy_redirect http:// https://; to get nginx to change the location header in redirects to use https.

But even if you use nginx to receive encrypted traffic then part of your traffic is still unencrypted inside of AWS network. So yes, you simply move the problem further but it's still unencrypted when it reaches the back-end :thinking_face:

Perhaps we didn't have the same issue. In our case it's all HTTP inside the load balancer. When our clojure app redirects, eg. 302 location /somepage the location header would end up with a value like http://example.com/somepage but it should have been https://example.com/somepage. This added an extra HTTP hop into our redirects. Apologies for the distraction if this is not similar to what you're dealing with.

I think you are talking about different things. The issue that Leaf is mentioning is relatively common. It's a mismatch between the app who thinks there's only "HTTP world " while the client behind the load balancer thinks there's only "HTTPS world". One common culprit of this is "Absolute redirects" - see https://github.com/ring-clojure/ring-defaults/pull/40 Martynas seem to have an app that's aware of HTTPS (is actually forcing HTTPS)

@U06BE1L6T thanks for clarifying, and many thanks for pointing out that issue - could be helpful.

@U028ART884X I think you just need to decide whether you need HTTPS inside VPC - if so, then configure the load balancer to use HTTPS, that's it.

I already configured it back to HTTP because it's simpler. But I'm not yet sure how absolute redirects work and I do remember that I enabled them. So yes, probably that could be a problem.

I submitted a patch that changed ring-defaults so it shouldn't force it by default. We also had issues with friend library - I think it's linked in the PR. Another thing is that some servers like Jetty (used to?) force absolute redirects.