Configuring AWS ALB to redirect http traffic to https (to a Docker container "service" running in AWS ECS)

Question

Background I have configured a Docker image (based on an NGINX image) and uploaded it to AWS ECR - Elastic Container Service, then deploy it to AWS ECS where it runs perfectly. I can access the deployed (flask) app via http or https when using the IP address that the ECS Task advises me is where this app deploys. This is great!

My Problem: I want to access this app via demo.mydomain.net (rather than IP address) and additionally have all incoming traffic redirected to https, so I turned to AWS ALB - Application Load Balancer (with AWS Certificate Manager (ACM) and Route 53)

I cannot work out how to configure the ALB, and have no idea why it's not working after trying MANY different settings and configurations, and I am sure it's incredibly easy, but I can't work it out.

The problem to me is there seems to be a disconnect between the domain/ELB (which I have configured with CNAME entries) and the A record to redirect to the alias "dualstack.my-domain-82823732.us-west-2.elb.amazonaws.com."

Things I have tried

• Each time I try something new in ECS, i create a new ECS "Service" so I can configure the attach the ALB (and test the various changes I am testing)..
• I have tried entering the ALB with various redirections on port 80 and 443... Kept default settings for the ALB, and then also tried to configure pre set up and post set up. Nothing seems to get my docker flask app in ECS communicating to the ALB...
• tried including the ALB in my docker-compose file (x-aws-loadbalancer: "arn:aws:elasticloadbalancing:us-west-2:123307324622:loadbalancer/app/my-alb/0f7f213123133225")
• I have tried configuring in the ALB listener both the "Redirect to URL" (I redirect to port 443, but have also tried using port 80) and "Forward to Target Groups (which seems to be perpetually set to HTTP)... Here is a screenshot: []

Things I have noticed When i enter demo.mydomain.net into my browser, it is redirected to https://demo.mydomain.com (Great!!) BUT, I get "The Site Can't be Reached" and my application logs are never receiving any traffic from this https://demo.mydomain.net request... I can see the ALB is returning the 301 response, but then I see "cancelled" in the traffic... (see screenshot)

Would appreciate guidance on this, it seems an incredibly simple task (that I have successfully done in the past with a static website), which leads me to believe there is some complexity of the NGINX Docker image and the ALB, but the logs don't support this theory and I am out of ideas. Thank you!!

One interesting point, is that if I enter the DNS "A Record" address of the loadbalancer, then it will display the site (via http, not https).

Answer 1

Its a very typical case, I have also configured an ALB in this way. This is how I have done it- Following ALB configuration is required -

1. Two listeners, one on 443 and one on 80
2. two rules under 443 listener
3. one rule under 80 listener

The Listener on Port 80 will have one rule to forward requests to HTTPS retaining ${Host}, ${Path} and ${query} string.

The Listener on Port 443 will have two rules, one(default), to forward requests to target group instances/fargate, two, to redirect base url example.domain.com to a subdomain URL such as example.domain.com/path or some other URL in another domain.

The order of evaluation for rules under 443 has to be such that redirect rule must go first and then the forward rule, the default one.

This is how it all looks on AWS console.

Answer 2

Turns out it was simple... I needed to configure the listener the other way around (on 443 redirecting from 80) rather than the other way around: