The Ops Community ⚙️

Patrick Londa for Blink Ops

Posted on • Originally published at blinkops.com

Enforcing HTTP Redirection Across Your AWS Application Load Balancers

Web encryption protocols like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have been around for nearly three decades. By securing web data in transit, these security measures ensure that third parties can’t simply intercept unencrypted data and cause harm.

Hypertext Transfer Protocol Secure (HTTPS) uses the underlying SSL/TLS technology and is the standard way to communicate web data in an encrypted and authenticated manner, compared to the unsecured HTTP protocol.

If you want to enforce encryption on all data interacting with your service or application, you can do this by setting up a rule handled by your load balancer.

In this post, we’ll show you how to implement the industry best practice of redirecting all unencrypted HTTP data to the secure HTTPS protocol.

Setting Rules for Your Application Load Balancer

To set rules for your load balancer, you configure them at the listener-level.

Listeners are processes that check for connection requests based on your port and protocol configurations. For example, you can use a listener to move functions required to perform encryption and decryption over to a load balancer. That way, your applications are free to focus on running internal business logic.

AWS listeners come set up with a default rule, which defines how the load balancer routes incoming requests. Developers have the option of defining additional rules for each listener. Every rule contains a priority, at least one action, and at least one condition. Users are free to create or update new rules for listeners as needed.

Setting an HTTP Redirection in AWS

Redirects give web servers the ability to move navigation from one URL to another. This means you can send HTTP requests directly to more secure HTTPS URLs. This standard best practice helps organizations achieve better security governance and hit compliance goals by providing more secure browsing to users. Using redirects also helps organizations achieve higher search results and a better Secure Sockets Layer (SSL) /Transport Security Layer (TLS) score for websites.

If you know you don’t already have this set up and want to add this rule, you can skip to Step 3 with the Amazon CLI in the following section.

Locating Amazon Load Balancers (ALBs) Without an HTTP Redirection

Here are the steps to locating any load balancers that do not have an HTTP redirect configured, and then adding one:

  1. Log in to the AWS Console, then navigate to the Amazon EC2 console.
  2. Look for LOAD BALANCING, and then select Load Balancers.
  3. Pick an Application Load Balancer to review.
  4. Click the Listener tabs to view listeners configured to your current load balancer.
  5. Select the HTTP listener, then look at the rules outlined in the Rules column.
  6. If there is no HTTP rule defined, you don’t have a redirect set up to route traffic to HTTPS.
  7. Check the rest of the Load Balancers set up in your environment.

Finding the Relevant ALBs with the AWS CLI

If you want to use the AWS CLI instead, here are the CLI steps for finding load balancers and configuring them with HTTPS redirects.

Step 1: Run the command “describe-load-balancers” and add customized query filters

This command lists all of the ARNs, or Amazon Resource Names, for any ALBs located in your chosen AWS region.

aws el2 describe-load-balancers   
--region us-west-0 [add correct region descriptor]
--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn1'
Enter fullscreen mode Exit fullscreen mode

Step 2: Run the command “describe-listeners”

This command will output descriptions for each of the HTTP listeners set up for an ALB.

aws el2 describe-listeners
--region us-west-0 [enter correct region descriptor]
--load-balancer-arn arn:aws:elasticloadbalancing:us-west-1:9876543290210:loadbalancer/app/cc-web-tsta-blb/abacabbada
--query 'Listeners[?(Protocol == `HTTP`)].ListenerArn' [gets all listeners]
Enter fullscreen mode Exit fullscreen mode

Step 3: Add a rule that contains the redirect action

You will need to add this rule to each HTTP listener.

[
    {        
        "Type": "redirect",        
        "RedirectConfig": {            
        "Protocol": "HTTPS",            
        "Host": "#{addhostname}",            
        "Query": "#{addqueryname}",            
        "Path": "/#{addpathname}",            
        "Port": "<portnumber>",            
        "StatusCode": "HTTP_303" [add status code]        
        }    
    }
]
Enter fullscreen mode Exit fullscreen mode

Now that you know how to set up these redirect rules, you’ll be able to enforce encrypted communication between your application and end-users using SSL.

Automating Security Checks with Blink

Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to find and fix vulnerable resources in a couple clicks. Blink comes with pre-built automations that make enforcing CloudOps best practices simple.

Get started and create your free Blink account today.

Top comments (1)

Collapse
 
unistars profile image
Info Comment hidden by post author - thread only accessible via permalink
Feng Lei

How can I contact Patrick Londa? I have some questions to ask

Some comments have been hidden by the post's author - find out more