Preventing HTTP access to the servers of Amazon's Elastic Beanstalk

Question

We have a system running on Amazon's Beanstalk. We would like to limit access to the server to HTTPS only. When blocking HTTP on the environment settings - it prevents accessing through the beanstalk DNS. However, if someone knows the public IP (or name) of any of the servers - he can access them directly through HTTP. It seems that the LB forwards the requests to port 80, so we can not change the security group and remove port 80. Is there a simple way, to limit HTTP access to be only from the LB? Thanks

Answer 1

You should be able to do this through EC2 Security Groups, which is an Elastic Beanstalk environment property.

By default this allows connections to port 80 from any IP address, but you could remove that rule or replace it with your own IP address (for testing purposes).

Failing that, you could reroute all HTTP traffic to HTTPS at the application level or simply test the CGI property *server_port_secure* and refuse to answer.