Redirect Elastic Beanstalk HTTP requests to HTTPS with nginx

Question

I want a redirect from HTTP request to HTTPS on Elastic Beanstalk with nginx as proxy system.

I've found a lot of advices on Google but no one helped, it doesn't redirect.

That is my current test.config file in .ebexentions directory:

files:
"/etc/nginx/conf.d/proxy.conf" :
    mode: "000644"
    owner: root
    group: root
    content: |
        server{
            if ($http_x_forwarded_proto = "http") {
                return 301 https://$host$request_uri;
            }
        }

I've also tried countless other settings, none of them worked.

That are my load balancer settings:

I hope you can help me. :)

Answer 1

Some considerations:

1 - New Amazon Elastic Beanstalk platform versions running Amazon Linux 2 have a different path of reverse proxy configuration:

~/workspace/my-app/
|-- .platform
|   `-- nginx
|      `-- conf.d
|         `-- elasticbeanstalk
|            `-- 00_application.conf
`-- other source files

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html

2 - The AWS ELB Health Checker appears to be unable to check HTTPS endpoints. Surely, if you are using a custom certificate for your domain, is unable to act a check in what he considers an "untrusted site". https://your-eb-app.eu-west-3.elasticbeanstalk.com published with a certificate registered for your organization with this DNS alias https://your-eb-app.your-organization.com causes ELB Health Checker error (certificate domain mismatch).

3 - The configuration suggested exposes all locations to ANY client which shows up with "ELB-HealthChecker*" user-agent on the standard HTTP port (80); not quite what we want :-)

You can configure ELB Health Checker to accept the HTTP 301 status, but it doesn't have much use; a simple redirect response does not mean that our web application is in good health :-)

A more secure solution is a dedicated health check endpoint configuration:

location / {
    set $redirect 0;
    if ($http_x_forwarded_proto != "https") {
        set $redirect 1;
    }
    if ($redirect = 1) {
        return 301 https://$host$request_uri;
    }   

    proxy_pass        http://127.0.0.1:5000;
    proxy_http_version  1.1;

    proxy_set_header    Connection         $connection_upgrade;
    proxy_set_header    Upgrade            $http_upgrade;
    proxy_set_header    Host               $host;
    proxy_set_header    X-Real-IP          $remote_addr;
    proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
}

location = /health-check.html {
    set $redirect 0;
    if ($http_x_forwarded_proto != "https") {
        set $redirect 1;
    }
    if ($http_user_agent ~* "ELB-HealthChecker") {
        set $redirect 0;
    }
    if ($redirect = 1) {
        return 301 https://$host$request_uri;
    }   

    proxy_pass        http://127.0.0.1:5000;
    proxy_http_version  1.1;

    proxy_set_header    Connection         $connection_upgrade;
    proxy_set_header    Upgrade            $http_upgrade;
    proxy_set_header    Host               $host;
    proxy_set_header    X-Real-IP          $remote_addr;
    proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
}