HTTP to HTTPS Redirects for AWS ELB and Tomcat7 server

Question

I have one subdomain(test.XXXX.com) pointed to AWS ELB that accepts HTTP(80) and HTTPS(443) requests. I have configured SSL certificated for for 443 for HTTPS connection. I have tried doing HTTP to HTTPS redirects at Tomcat level by changing web.xml and server.xml as mentioned in

http://www.journaldev.com/160/steps-to-configure-ssl-on-tomcat-and-setup-auto-redirect-from-http-to-https

But the problem is that I need one endpoint for AWS ELB health check that does not do the HTTP to HTTPS redirect. I have tried different solution but no success.I also tried

   <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected Context</web-resource-name>
                        <url-pattern>/*</url-pattern>
                </web-resource-collection>

                <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
    </security-constraint>
   <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected Context</web-resource-name>
                        <url-pattern>/XXXXX/XXXXXX.html</url-pattern>
                </web-resource-collection>

    </security-constraint>

And my server server.xml has following configuration as

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />


<Connector port="443" maxThreads="2000" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/XXXXX/XXXXX.keystore" 
               keystorePass="XXXXX" clientAuth="false" keyAlias="XXXX" 
               sslProtocol="TLS" protocol="org.apache.coyote.http11.Http11Protocol"/>

But when try to access it through browser it gives exception as ERR_TOO_MANY_REDIRECTS.

Answer 1

Now AWS ELB supports two new actions: redirect and fixed-response. You can configure these actions as part of the content-based routing rules, enabling you to offload this functionality to the load balancer

With redirect actions, the load balancer can redirect incoming requests from one URL to another URL. This includes the capability to redirect HTTP requests to HTTPS requests.

Answer 2

I have a solution to your problem but it does not concern tomcat. You could use a Cloudfront distribution.
Let me underline a few key configs for achieving this through a Cloudfront Distribution:

• Choose a Web Distribution
• Select your ELB in the dropdown for Origin Domain Name. origin Path will be blank and Origin Id is just an identifier of your choice.
• Now under Default Cache Behavior Settings please choose Redirect HTTP to HTTPS for the Viewer Protocol Policy. Please go through all other settings carefully and select whats appropriate for you. They should be fairly simple and straightforward. (Please enter your domain name- test.xxxx.com for alternate domain names)
• Click on create distribution.
• Once the distribution is created, go to the distribiution and go to the behaviours tab.
• here you ll see that there is already a default entry. Go to Create Behaviour, type in your path pattern. so if your healthcheck url is test.xxxx.com/healthcheck then your path pattern becomes /healthcheck.
• Please choose HTTP and HTTPS for the Viewer Protocol Policy.
• Finally, in your route53, please add a record for your domain and point it to the cloudfront distribution that you just created.

So effectively what this does is, it takes the redirection off of tomcat and is handled at the cloudfront level. All requests by default are redirected to HTTPS while just for the /healthcheck path HTTP requests are allowed. Redirection need not be handled at lower levels. Please let me know if this works for you. Also, please note that route53 and cloudfront changes take time to propogate. so please wait sufficiently enough for a successful test