I have a ELB (Amazon Elastic Load Balancer) configured to load balance end users requests on HTTPS, on the backend I have my application running on Tomcat server which is configured on HTTP.
So when my end users makes a request to the application the request wil be on HTTPS, since they access the ELB, now, ELB internally redirects it on HTTP to the tomcat server. In tomcat my application is protected through Spring Security and if the request is for a protected resource and the user is not logged in user is redirected to the configured login page. Now, this redirection to the end user will be over HTTP, since the tomcat server had got the request originally from the ELB as HTTP. This will now lead to a 404 since I have not configured for inward traffic on HTTP.
How do we resolve this issue? Is the only option to have HTTPS both on the enduser-ELB and from ELB-tomcat or am i missing some thing here?
Classic Load Balancers can't redirect HTTP traffic to HTTPS by default. Instead, configure your rewrite rules for the web servers instances behind the Classic Load Balancer. You must configure your rewrite rules to use the X-Forwarded-Proto header and redirect only HTTP clients.
Select a load balancer, and then choose HTTP Listener. Under Rules, choose View/edit rules. Choose Edit Rule to modify the existing default rule to redirect all HTTP requests to HTTPS.
ELB sets a X-Forwarded-Proto
header that allows you to tell which protocol the client used to connect to your load balancer. See the documentation.
You can configure spring security to look at this header, see this answer for example.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With