DEV Community

John Smith
John Smith

Posted on • Originally published at solrevdev.com on

Force HTTP To HTTPS Redirect Via AWS Elastic Load Balancer

#aws #iis #https #ssl

Forcing HTTP to HTTPS redirect on IIS via AWS Elastic Load Balancers

Today I replaced an aging ASP.NET web forms web application with a new static site which for now is just a landing page with a contact form and in doing so needed to force any insecure HTTP requests to HTTPS.

A bit of a gotcha was an error on the redirect and the issue was the HTTP_X_FORWARDED_PROTO header also needed to be forwarded along with the redirect.

For example :

<conditions logicalGrouping="MatchAny">
   <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
   <add input="{HTTPS}" pattern="on" />
</conditions>

Next up, I needed to redirect any users who were going to .aspx pages that no longer existed to a custom 404 HTML page not found page.

This just needed adding to web.config like so :

  <system.web>
      <compilation targetFramework="4.0" />
      <customErrors mode="On" redirectMode="ResponseRewrite">
         <error statusCode="404" redirect="404.html" />
      </customErrors>
   </system.web>

   <system.webServer>
      <httpErrors errorMode="Custom">
         <remove statusCode="404"/>
         <error statusCode="404" path="/404.html" responseMode="ExecuteURL"/>
      </httpErrors>
   </system.webServer>

So here it is for the next time I have to do something similar, This is the full web.config that needs to in the root folder of the site.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <compilation targetFramework="4.0" />
        <customErrors mode="On" redirectMode="ResponseRewrite">
            <error statusCode="404" redirect="404.html" />
        </customErrors>
    </system.web>
    <system.webServer>
        <httpErrors errorMode="Custom">
            <remove statusCode="404"/>
            <error statusCode="404" path="/404.html" responseMode="ExecuteURL"/>
        </httpErrors>
        <rewrite>
            <rules>
                <rule name="HTTPS Rule behind AWS Elastic Load Balancer" stopProcessing="true">
                    <match url="(.*)" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
                        <add input="{HTTPS}" pattern="on" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

And to test that the site works I entered it onto https://www.whynopadlock.com/ which gave me the confidence that all was well.

Success 🎉

Top comments (0)

Read next

psantus profile image

How to run PHP on AWS ServerLess architecture ? Part 2 - introducing Bref runtime

Paul SANTUS -

noorscript profile image

🔐 Unlocking the Secrets of Data Security: Cryptography, Encryption, and Hashing Made Simple 🛡️

Noor Fatima -

mursalfk profile image

LLMs - Behind the Scenes

Mursal Furqan Kumbhar -

aws-cloudsec profile image

Issue 60 of AWS Cloud Security Weekly

AJ -