Issue with HTTPS to HTTP redirection by Elastic Load Balancer to Tomcat server
I have a ELB (Amazon Elastic Load Balancer) configured to load balance end users requests on HTTPS, on the backend I have my application running on Tomcat server which is configured on HTTP.
So when my end users makes a request to the application the request wil be on HTTPS, since they access the ELB, now, ELB internally redirects it on HTTP to the tomcat server. In tomcat my application is protected through Spring Security and if the request is for a protected resource and the user is not logged in user is redirected to the configured login page. Now, this redirection to the end user will be over HTTP, since the tomcat server had got the request originally from the ELB as HTTP. This will now lead to a 404 since I have not configured for inward traffic on HTTP.
How do we resolve this issue? Is the only option to have HTTPS both on the enduser-ELB and from ELB-tomcat or am i missing some thing here?
Answer
ELB sets a X-Forwarded-Proto header that allows you to tell which protocol the client used to connect to your load balancer. See the documentation.
You can configure spring security to look at this header, see this answer for example.