Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How multiple droplets share resources Question Question
how to configure 2 droplets with HAProxy + keepalived Question Question

Question

What's needed for HTTP->HTTPS redirect in load balancer?

Posted October 2, 2019 5.8k views
Load Balancing

I’m using a couple of load balancers in front of my droplets and I only want to allow HTTPS traffic to the LB. There’s an option in the load balancer to “Redirect HTTP to HTTPS” that supposedly should redirect all calls on the 80 port on the load balancer to port 443?

This doesn’t seem to work as I get a “connection refused on port 80” when I access the droplet through the loadbalancer over http.

Is there some additional configuration needed for this redirect to work?

Add a comment
fredrikbostrom
By:
fredrikbostrom

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How multiple droplets share resources Question Question
how to configure 2 droplets with HAProxy + keepalived Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
fredrikbostrom October 2, 2019

Thanks @bobbyiliev, that’s what I’ve done but when I test it out with curl http://domain.com I get a connection refused error for port 80. Using https works as expected.

I have configured a firewall blocking public access to port 80 the droplets from the internet, but I suppose that shouldn’t affect the redirecting, which should happen in the load balancer.

I must be doing something wrong, but can’t see what that would be.

Reply Report
  • bobbyiliev October 3, 2019

    Hello,

    That’s interesting, if you wish you could share the current firewall and load balancer rules that you have so I could advise you further?

    Regards,
    Bobby

    Reply Report
    • fredrikbostrom October 4, 2019

      Sure thing.

      Droplets listening ports:

      droplet-1:
      TCP 22
      TCP 80

      droplet-2:
      TCP 22
      TCP 8080

      Firewall inbound rules (both droplets attached):

      SSH TCP 22 ALL
      HTTP TCP 80 Only loadbalancer-1
      CUSTOM TCP 8080 Only loadbalancer-2

      Loadbalancer rules:

      loadbalancer-1 (droplet-1 attached):
      HTTPS 443 -> HTTP 80
      Algorithm: round robin
      Sticky session: off
      SSL: Redirect HTTP to HTTPS ON
      Proxy Protocol: Disabled

      loadbalancer-2 (droplet-2 attached):
      HTTPS 443 -> HTTP 8080
      Algorithm: round robin
      Sticky session: off
      SSL: Redirect HTTP to HTTPS ON
      Proxy Protocol: Disabled

      Reply Report
    • fredrikbostrom October 8, 2019

      @bobbyiliev any ideas based on the provided configuration?

      Reply Report
      • bobbyiliev October 9, 2019

        Hi @fredrikbostrom,

        I’ve tested this at my end, what I had to do is to add a rule on the load balancer from HTTP to HTTP to the droplet with HTTPS redirect enabled. That way the load balancer ‘knows’ that it has to listen on port 80 as well but at the same time the redirect is happening on the load balancer itself as well.

        That way the setup worked. To test it you could use curl with -IL flags, for me the output was:

        curl -IL LoadBalancerIP
...
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-cache
Content-length: 0
Location: LoadBalancerIP

        Let me know how it goes!
        Regards,
        Bobby

        Reply Report
        • fredrikbostrom October 9, 2019

          Thanks @bobbyiliev that actually did the trick!

          I find it a bit odd though, to open up an insecure path to the server’s port 80 in the load balancer, and relying on the redirect not to let any traffic through.

          But I’m happy we found a working solution! Thanks for your help!

          Reply Report
bobbyiliev October 2, 2019

Hello,

Yes, it is possible to force the HTTP to HTTPS redirect. You can follow the steps on how to do that here:

https://www.digitalocean.com/docs/networking/load-balancers/how-to/ssl-termination/#force-ssl-traffic

Hope that this helps!
Regards,
Bobby

Reply Report

Related

Looking for something else?

Ask a new question Search for more help