Reputation: 373
AWS Elastic Beanstalk load balancer is redirecting to HTTPS - does my app still need UseHttpsRedirection() and UseHsts()?
First, let me say that this is the first time I have written an ASP.NET Core 3.1 web app and first time learning AWS with Elastic Beanstalk. So if it seems like I'm confused... it's because I am. ;-)
I have two AWS environments - one is Staging and one is Production. The Staging environment has no SSL certificate and no load balancer. It only listens on port 80.
Production has a load balancer set up with my SSL certificate, and is set up to redirect all port 80 traffic to port 443.
Port 80 = Redirect to https://#{host}:443/#{path}?#{query} Status code:HTTP_301
Port 443 = Forward to my-target-group: 1 (100%) Group-level stickiness: Off
When I generated the new web app in VS 2019, I opted in on HTTPS/HSTS by checking "Configure for HTTPS". So it has this in Startup.cs:
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
I am getting this error in my Windows event log in Staging and Production: “Failed to determine the https port for redirect”
I tried the suggestion from Enforce HTTPS in ASP.NET Core
services.AddHttpsRedirection(options =>
{
options.HttpsPort = 443;
});
But that messed up the Staging environment because there's nothing listening on port 443.
Since Staging is only using HTTP, and Production is redirecting to HTTPS at the load balancer, should I just remove the UseHsts() and UseHttpsRedirection() altogether from my Startup? Will that pose any security problems - I do want traffic encrypted over the internet but I don't think it's necessary between the load balancer and the EC2 instance, correct?
Or do I need Forwarded headers, as suggested at Configure ASP.NET Core to work with proxy servers and load balancers?
Upvotes: 0
Views: 1005
Answers (1)
Reputation: 238957
I do want traffic encrypted over the internet but I don't think it's necessary between the load balancer and the EC2 instance, correct?
Correct. That's how it is usually setup. So you usually would have SSL termination on your load balancer (LB), and then from LB to your instance it would be regular http traffic:
Client----(https)---->LB----(http)---->instances
does my app still need UseHttpsRedirection() and UseHsts()?
No, as your app is just recieving http traffic only from the LB.
Upvotes: 1
Related Questions
- How to redirect HTTPS to HTTP on ELB Application Load Balancer
- Redirect http to https AWS Application Load Balancer
- Load Balancer unable to redirect from HTTP to HTTPS in Elastic Beanstalk
- Redirect http to https on Beanstalk's ALB without support of https on the instance
- .net Core - HTTPS with AWS Load Balancer and Elastic Beanstalk doesn't work
- Using Application Load Balancer with HTTPS
- Redirect Http Url to Https in Elastic beanstalk loadbalancer
- Spring Boot & ELB - How do I make the load balancer redirect http to https?
- Unable to force HTTPS for website running ASP.NET on Elastic Beanstalk AWS (With classic Load Balancer)
- Https on Elastic Beanstalk Without Load Balancer