What's needed for HTTP->HTTPS redirect in load balancer?

October 2, 2019 116 views
Load Balancing

I’m using a couple of load balancers in front of my droplets and I only want to allow HTTPS traffic to the LB. There’s an option in the load balancer to “Redirect HTTP to HTTPS” that supposedly should redirect all calls on the 80 port on the load balancer to port 443?

This doesn’t seem to work as I get a “connection refused on port 80” when I access the droplet through the loadbalancer over http.

Is there some additional configuration needed for this redirect to work?

2 Answers

Thanks @bobbyiliev, that’s what I’ve done but when I test it out with curl http://domain.com I get a connection refused error for port 80. Using https works as expected.

I have configured a firewall blocking public access to port 80 the droplets from the internet, but I suppose that shouldn’t affect the redirecting, which should happen in the load balancer.

I must be doing something wrong, but can’t see what that would be.

  • Hello,

    That’s interesting, if you wish you could share the current firewall and load balancer rules that you have so I could advise you further?

    Regards,
    Bobby

    • Sure thing.

      Droplets listening ports:

      droplet-1:
      TCP 22
      TCP 80

      droplet-2:
      TCP 22
      TCP 8080

      Firewall inbound rules (both droplets attached):

      SSH TCP 22 ALL
      HTTP TCP 80 Only loadbalancer-1
      CUSTOM TCP 8080 Only loadbalancer-2

      Loadbalancer rules:

      loadbalancer-1 (droplet-1 attached):
      HTTPS 443 -> HTTP 80
      Algorithm: round robin
      Sticky session: off
      SSL: Redirect HTTP to HTTPS ON
      Proxy Protocol: Disabled

      loadbalancer-2 (droplet-2 attached):
      HTTPS 443 -> HTTP 8080
      Algorithm: round robin
      Sticky session: off
      SSL: Redirect HTTP to HTTPS ON
      Proxy Protocol: Disabled

    • @bobbyiliev any ideas based on the provided configuration?

      • Hi @fredrikbostrom,

        I’ve tested this at my end, what I had to do is to add a rule on the load balancer from HTTP to HTTP to the droplet with HTTPS redirect enabled. That way the load balancer ‘knows’ that it has to listen on port 80 as well but at the same time the redirect is happening on the load balancer itself as well.

        That way the setup worked. To test it you could use curl with -IL flags, for me the output was:

        curl -IL LoadBalancerIP
        ...
        HTTP/1.1 307 Temporary Redirect
        Cache-Control: no-cache
        Content-length: 0
        Location: LoadBalancerIP
        

        Let me know how it goes!
        Regards,
        Bobby

        • Thanks @bobbyiliev that actually did the trick!

          I find it a bit odd though, to open up an insecure path to the server’s port 80 in the load balancer, and relying on the redirect not to let any traffic through.

          But I’m happy we found a working solution! Thanks for your help!

          • Hi @fredrikbostrom

            I’m happy to hear that it’s working!

            The good thing is that the request would be redirected on the loadbalancer itself so that the insecure requests would never reach the droplet.

            Regards,
            Bobby

Hello,

Yes, it is possible to force the HTTP to HTTPS redirect. You can follow the steps on how to do that here:

https://www.digitalocean.com/docs/networking/load-balancers/how-to/ssl-termination/#force-ssl-traffic

Hope that this helps!
Regards,
Bobby

Have another answer? Share your knowledge.