How can I redirect HTTP requests to HTTPS using an Application Load Balancer for an application on port 3000?

0

Hello all, I have a nodejs /react app on EC2 linux. I do not want to add any additional web products. I created an ALB with a Target Group that contains the instance running my application. I have installed my SSL certificate and have it in the AWS Certificate manager.
When I go to my ALB and plug in my DNS name info into a browser, the site comes up, but it says "Insecure", certificate is not valid. I have a *.MyDomain.com cert because I am using this cert for a sub domain that houses my application. My target group is healthy. My listeners appear to be correct. If I go to the HTTP address :3000 the site wors as expected, and I get the Not Secure message. If I go to HTTPS address I just get a "Site can't be reached" message. Any ideas and or suggestions on how to get the HTTPS working with the cert for an app that runs on port 3000? Thanks in advance.

cxc
asked 9 months ago1403 views
2 Answers
1
Accepted Answer

I go to the HTTP address :3000 the site wors as expected .... how to get the HTTPS working with the cert for an app that runs on port 3000?

You can't have HTTP and HTTPS listening on the same port, only one or the other.

Have I undertood this correctly, at the back end you have an EC2 instance with your app listening on HTTP on port 3000?

I think the way to do this is to have the load balancer listening on port 80 (HTTP) and 443 (HTTPS), with a listener rule that redirects 80 to 443 https://repost.aws/knowledge-center/elb-redirect-http-to-https-using-alb

And a listener on port 443 which forwards to the target group on port 3000.

This way, you hit http://[your_ALB]/ (port 80 implied) and it redirects to https://[your_ALB]/ (port 443 implied) where the connection is validated using the cert you got from AWS Certificate Manager. From there it goes on to http://[your_EC2]:3000/

Hit https://[your_ALB]/ (port 443 implied) from a browser and it's the same, just without the initial redirect.

The ALB will need a security group allowing 80/tcp & 443/tcp inbound from 0.0.0.0/0, and 3000/tcp outbound to the EC2. The EC2 instance will need a security group rule allowing 3000/tcp from the ALB.

If you want, you could have another listener on port 3000 (you decide whether this is HTTP or HTTPS) which redirects to port 443 as well, just like port 80 alrewady does. If you choose to do this, add another ALB inbound rule on 3000/tcp.

profile picture
EXPERT
Steve_M
answered 9 months ago
  • Ok, so I have a listener listening on HTTP 80, that redirects to Https://my.subdomain.com:3000 I get a message that says This site can't provide a secure connection.

    I have a 2nd listener on HTTP:443 That forwards to HTTPS://my.subdomain.com:3000 I get the same message that says This site can't provide a secure connection.

    If I go to my loadbalancer and copy the dns name info and paste into a browser, I get a "Bad Gateway" error. Question, should the target group be HTTPS or HTTP?

    I feel like I am right there, but something is not correct. Thanks in advance.

  • Is my.subdomain.com a DNS record that points to EC2 or load balancer?

    I'm guessing it's on your EC2, and the error message "This site can't provide a secure connection" means whatever is listening on port 3000 is responding to a HTTPS request but doesn't have a cert to offer, or is offering a self-signed cert.

    There's no point passing a HTTPS connection to the EC2 and making it do the SSL offloading, because you already have an ALB with a valid cert, and this can do the SSL offloading for you.

    Listener #1 - plain HTTP on port 80, redirects to HTTPS on port 443 (see link in my previous answer) Listener #2 - HTTPS port 443, use the ACM cert here, pass through to target group with plain HTTP on port 3000

    Add a Route 53 alias pointing to your ALB, so a user hits either http://[ALB_alias]/ or https://[ALB_alias]/ and they end up getting certificate validation done on the ALB, and then passed through to the app on the EC2.

  • Hey Steve, I must be missing something. Listener #1 - plain HTTP on port 80, redirects to HTTPS on port 443 (see link in my previous answer) <-- this is dead on. Listener #2 - HTTPS port 443, use the ACM cert here, pass through to target group with plain HTTP on port 3000 <--- same here. I added the route 53 stuff. However the main domain site is not housed on AWS. If I go to my loadbalancer and copy the dns name info and paste into a browser it brings up the site, just says not secure. If I go to http or https my.subdomain.com nothing comes up. I get this site can't be reached. If I go to http://my.subdomain.com:3000 the site comes up, just not secure. If I go to https://my.subdomain.com:3000 i get "the site can't provide a secure connection" I'm wondering if i did the route 53 correctly. thanks for your help.

  • Okay I see it now.

    my.subdomain.com is a DNS record pointing to your EC2 instance, right? It must be, because something is listening on port 3000 at that address, and that can only be the EC2.

    The DNS record needs to be updated so it's pointing to your loadbalancer.

    Also, nothing on the loadbalancer/listener/target group should make any reference to my.subdomain.com, only to AWS resources.

  • So Lets kinda start over.

    1. DNS points to the ip for the instance provided by AWS.
    2. Loadbalancer updated: Listener 1 - plain http on port 80 points to the ALB DNS name. listener 2 https port 443 points to the target group that points to the instance with the application running on port 3000. Are you suggesting I have the Registrar DNS entry for the subdomain point to the ALB? (I updated the registrar to forward to the ALB) So going to http://my.subdomain.com I get http://ALB/application default page. (Not secure) How does that work with my *.domain.com SSl cert? Is there a way to may the ALB display as my.subdomain.com? However If I try to access via https: I get "can't reach this page" ... So close... Thanks again.
1

Hello.
Do you want to use port 3000 for HTTPS access?
Or do you mean that you want to access HTTPS:443 when accessed via HTTP:3000?

First, if you want to access with HTTPS:3000, I think you can solve this problem by setting the port number of the ALB HTTPS to 3000 in the listener rule.
At that time, HTTP access must be a number other than 3000.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html

Next, we will explain how to access the site with HTTP:3000 and redirect to HTTPS:443.
This one creates a listener rule for HTTP:3000.
By setting a rule to redirect to HTTPS in the listener rule, HTTPS:443 will be accessed.

Incidentally, the ALB security group should be set to allow the necessary TCP ports.

profile picture
EXPERT
answered 9 months ago
  • I'd like for any user to go to Https://my.subdomain.com (It could be http as well, that'd just be a bonus) that then redirects to my app securely running on port 3000. Are we saying the same thing?

  • Hello Riku, I currently have the ALB listeners set up in what I think is the correct way. My issue today is that the site displays a non secure message with the AWS url displaying. How might I get teh URL to match my domain as well as sync up with my SSL Cert that matches my domain? Thanks in advance.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions