Help Center/ Elastic Load Balance/ Best Practices/ Using ELB to Redirect HTTP Requests to an HTTPS Listener for Higher Service Security
Updated on 2024-11-12 GMT+08:00
View PDF
Share

Using ELB to Redirect HTTP Requests to an HTTPS Listener for Higher Service Security

Scenarios

HTTPS is an extension of HTTP. HTTPS encrypts data between a web server and a browser. You can use ELB to redirect HTTP requests to an HTTPS listener to improve your service security.

  • If the listener protocol is HTTP, only the GET or HEAD method can be used for redirection. If you create a redirect for an HTTP listener, the client browser will change POST or other methods to GET. If you want to use other methods rather than GET and HEAD, add an HTTPS listener.
  • HTTP requests are forwarded to the HTTPS listener as HTTPS requests, which are then routed to backend servers over HTTP.
  • If HTTP requests are redirected to an HTTPS listener, no certificate can be deployed on the backend servers associated with the HTTPS listener. If certificates are deployed, HTTPS requests will not take effect.

Prerequisites

  • You have created a dedicated load balancer. For details, see Creating a Dedicated Load Balancer.
  • You have created two ECSs (ECS_client and ECS_server) that are running in the same VPC as the dedicated load balancer. ECS_client sends HTTP requests, while ECS_server processes requests. For details, see Purchasing an ECS.
  • You have gotten a server certificate ready for adding an HTTPS listener. For details, see Adding a Server Certificate.

Procedure

Figure 1 Procedure for redirecting HTTPS requests to an HTTPS listener

Step 1: Create an HTTPS Listener

  1. Go to the load balancer list page.
  2. On the displayed page, locate the target load balancer and click its name.
  3. On the Listeners tab, click Add Listener. Configure the parameters based on Table 1.
    Figure 2 Adding an HTTPS listener
    Table 1 Parameters for configuring an HTTPS listener

    Parameter

    Example Value

    Description

    Name

    listener-HTTPS

    Specifies the listener name.

    Frontend Protocol

    HTTPS

    Specifies the protocol that will be used by the load balancer to receive requests from clients.

    Frontend Port

    443

    Specifies the port that will be used by the load balancer to receive requests from clients.

    SSL Authentication

    One-way authentication

    Specifies how you want the clients and backend servers to be authenticated. In this practice, One-way authentication is selected.

    Server Certificate

    The existing server certificate

    Specifies the certificate that will be used by the backend server for SSL handshake negotiation to authenticate clients and ensure encrypted transmission.

    Enable SNI

    Not enabled

    Specifies whether to enable SNI when HTTPS is used as the frontend protocol. SNI can be used when a server uses multiple domain names and certificates.

    Access Control

    All IP addresses

    Specifies how access to the listener is controlled. Access from specific IP addresses can be controlled using a whitelist or blacklist.

    Transfer Client IP Address

    Enabled by default

    Specifies whether to transmit IP addresses of the clients to backend servers.

    Advanced Forwarding

    Enabled

    Specifies whether to enable the advanced forwarding policy. You can add advanced forwarding policies to HTTP or HTTPS listeners to forward requests to different backend server groups.
  4. Retain the default values for parameters under Advanced Settings and click Next: Configure Request Routing Policy.
  5. Select Create new for Backend Server Group, retain the default values for other parameters, and click Next: Add Backend Server.
  6. Add ECS_server to the backend server group you have created, enable Health Check, and retain the default values for the health check.
  7. Click Next: Confirm and then click Submit.

Step 2: Configure HTTP to HTTPS Redirection

You can enable redirection when adding an HTTP listener and select an HTTPS listener to which requests are redirected. Alternatively, you can add a forwarding policy for an HTTP listener to redirect requests to an HTTPS listener.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
  4. On the Load Balancers page, locate the target load balancer and click its name.
  5. On the Listeners tab, click Add Listener. Configure the parameters based on Table 2.
    Figure 3 Adding an HTTP Listener
    Table 2 Parameters for configuring an HTTP listener

    Parameter

    Example Value

    Description

    Name

    listener-HTTP

    Specifies the listener name.

    Frontend Protocol

    HTTP

    Specifies the protocol that will be used by the load balancer to receive requests from clients.

    Frontend Port

    80

    Specifies the port that will be used by the load balancer to receive requests from clients.

    Redirect

    Enabled

    Specifies whether to enable redirection. You can use this function to redirect the requests from an HTTP listener to an HTTPS listener to ensure security.

    Redirected To

    listener-HTTPS

    Specifies the HTTPS listener to which requests are redirected. Select the HTTPS listener created in section Step 1: Create an HTTPS Listener, listener-HTTPS.

    Access Control

    All IP addresses

    Specifies how access to the listener is controlled. Access from specific IP addresses can be controlled using a whitelist or blacklist.

    Transfer Client IP Address

    Enabled by default

    Specifies whether to transmit IP addresses of the clients to backend servers.

    Advanced Forwarding

    Enabled

    Specifies whether to enable the advanced forwarding policy. You can add advanced forwarding policies to HTTP or HTTPS listeners to forward requests to different backend server groups.
  6. Retain the default values for parameters under Advanced Settings and click Next: Confirm.
  7. Click Submit.
  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
  4. On the Load Balancers page, locate the target load balancer and click its name.
  5. On the Listeners tab, click Add Listener. Configure the parameters based on Table 3.
    Figure 4 Adding an HTTP Listener
    Table 3 Parameters for configuring an HTTP listener

    Parameter

    Example Value

    Description

    Name

    listener-HTTP

    Specifies the listener name.

    Frontend Protocol

    HTTP

    Specifies the protocol that will be used by the load balancer to receive requests from clients.

    Frontend Port

    80

    Specifies the port that will be used by the load balancer to receive requests from clients.

    Redirect

    Not enabled

    Specifies whether to enable redirection. You can use this function to redirect the requests from an HTTP listener to an HTTPS listener to ensure security.

    Access Control

    All IP addresses

    Specifies how access to the listener is controlled. Access from specific IP addresses can be controlled using a whitelist or blacklist.

    Transfer Client IP Address

    Enabled by default

    Specifies whether to transmit IP addresses of the clients to backend servers.

    Advanced Forwarding

    Enabled

    Specifies whether to enable the advanced forwarding policy. You can add advanced forwarding policies to HTTP or HTTPS listeners to forward requests to different backend server groups.
  6. Retain the default values for parameters under Advanced Settings and click Next: Configure Request Routing Policy.
  7. Select Create new for Backend Server Group, retain the default values for other parameters, and click Next: Add Backend Server.
  8. Add ECS_server to the backend server group you have created, enable Health Check, and retain the default values for the health check.
  9. Click Next: Confirm and then click Submit.
  10. On the Configuration Result page, click Add now under the Next: Add a Forwarding Policy (Optional) area.
  11. Click Add Forwarding Policy to configure redirection.
    Table 4 Configuring parameters for redirection

    Parameter

    Setting

    Action

    Select Redirect to another listener.

    Listener

    Select the HTTPS listener to which requests are redirected.
  12. After the forwarding policy is added, click Save.
    Figure 5 Redirection to an HTTPS listener
  • After the redirection is added, the configurations for the HTTP listener will not be applied, but access control configured for that listener will still be applied.
  • After the redirection is added for an HTTP listener, the backend server will return 301 Moved Permanently to the clients.

Step 3: Verify the Redirection to HTTPS

Remotely log in to ECS_client and run curl -H "Accept-Language: zh-CN,zh" "http://ELB-private-IP-address:80 to check whether HTTP requests are redirected.

If 301 Moved Permanently is returned, as shown in the below figure, HTTP requests are directed to an HTTP listener.

Figure 6 Verifying redirection to an HTTPS listener