Redirect to https through url rewrite in IIS within elastic beanstalk's load balancer
How do you use IIS's url rewrite module to force users to use ssl while you are behind an elastic beanstalk load balancer?
Answer
This is more difficult than it sounds for a few reasons. One, the load balancer is taking care of ssl so requests passed from the load balancer are never using ssl. If you use the traditional rewrite rule you will get an infinite loop of redirects. Another issue to contend with is that the AWS healthcheck will fail if it receives a redirect response.
- The first step in the solution is to create a healthcheck.html page and set it in the root directory. It doesn't matter what the content is.
- Set your load balancer to use the healthcheck.html file for health checks.
Add the rewrite rule below in your web.config's
<system.webServer><rewrite><rules>section:<rule name="Force Https" stopProcessing="true"> <match url="healthcheck.html" negate="true" /> <conditions> <add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" /> </rule>
Notice that the rule match is on anything but our healthcheck file. This makes sure the load balancer's health check will succeed and not mistakenly drop our server from the load.
The load balancer passes the X-Forwarded-Proto value in the header which lets us know if the request was through https or not. Our rule triggers if that value is not https and returns a permanent redirect using https.