Enforcing HTTP Redirection Across Your AWS Application Load Balancers

Web encryption protocols like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have been around for nearly three decades. By securing web data in transit, these security measures ensure that third parties can’t simply intercept unencrypted data and cause harm.

Hypertext Transfer Protocol Secure (HTTPS) uses the underlying SSL/TLS technology and is the standard way to communicate web data in an encrypted and authenticated manner, compared to the unsecured HTTP protocol.  

If you want to enforce encryption on all data interacting with your service or application, you can do this by setting up a rule handled by your load balancer.

In this post, we’ll show you how to implement the industry best practice of redirecting all unencrypted HTTP data to the secure HTTPS protocol.

Blink Automation: Ensure Application Load Balancer are Configured to Redirect All HTTP Requests to HTTPS

AWS + Slack

Try This Automation

Setting Rules for Your Application Load Balancer

To set rules for your load balancer, you configure them at the listener-level. 

Listeners are processes that check for connection requests based on your port and protocol configurations. For example, you can use a listener to move functions required to perform encryption and decryption over to a load balancer. That way, your applications are free to focus on running internal business logic.

AWS listeners come set up with a default rule, which defines how the load balancer routes incoming requests. Developers have the option of defining additional rules for each listener. Every rule contains a priority, at least one action, and at least one condition. Users are free to create or update new rules for listeners as needed.

Setting an HTTP Redirection in AWS

Redirects give web servers the ability to move navigation from one URL to another. This means you can send HTTP requests directly to more secure HTTPS URLs. This standard best practice helps organizations achieve better security governance and hit compliance goals by providing more secure browsing to users. Using redirects also helps organizations achieve higher search results and a better Secure Sockets Layer (SSL) /Transport Security Layer (TLS) score for websites.

If you know you don’t already have this set up and want to add this rule, you can skip to Step 3 with the Amazon CLI in the following section.

Locating Amazon Load Balancers (ALBs) Without an HTTP Redirection

Here are the steps to locating any load balancers that do not have an HTTP redirect configured, and then adding one:

1. Log in to the AWS Console, then navigate to the Amazon EC2 console.
2. Look for LOAD BALANCING, and then select Load Balancers.
3. Pick an Application Load Balancer to review.
4. Click the Listener tabs to view listeners configured to your current load balancer.
5. Select the HTTP listener, then look at the rules outlined in the Rules column.
6. If there is no HTTP rule defined, you don’t have a redirect set up to route traffic to HTTPS.
7. Check the rest of the Load Balancers set up in your environment.

Finding the Relevant ALBs with the AWS CLI

If you want to use the AWS CLI instead, here are the CLI steps for finding load balancers and configuring them with HTTPS redirects.

1. Run the command “describe-load-balancers” and add customized query filters.

This command lists all of the ARNs, or  Amazon Resource Names, for any ALBs located in your chosen AWS region.

aws el2 describe-load-balancers   
--region us-west-0 [add correct region descriptor]
--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn1'

2. Run the command “describe-listeners”.

This command will output descriptions for each of the HTTP listeners set up for an ALB.

aws el2 describe-listeners
--region us-west-0 [enter correct region descriptor]
--load-balancer-arn arn:aws:elasticloadbalancing:us-west-1:9876543290210:loadbalancer/app/cc-web-tsta-blb/abacabbada
--query 'Listeners[?(Protocol == `HTTP`)].ListenerArn' [gets all listeners]

3. Add a rule that contains the redirect action.

You will need to add this rule to each HTTP listener.

[
    {        
        "Type": "redirect",        
        "RedirectConfig": {            
        "Protocol": "HTTPS",            
        "Host": "#{addhostname}",            
        "Query": "#{addqueryname}",            
        "Path": "/#{addpathname}",            
        "Port": "<portnumber>",            
        "StatusCode": "HTTP_303" [add status code]        
        }    
    }
]

Now that you know how to set up these redirect rules, you’ll be able to enforce encrypted communication between your application and end-users using SSL.

Automating Security Checks with Blink:

Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to find and fix vulnerable resources in a couple clicks.

With Blink, you can run this check using an automation like this one:

This automation is available in the Blink library. When it runs, it does the following steps:

1. Checks whether ALBs are configured to redirect all HTTP requests to HTTPS.
2. Sends all non-compliant ALBs in a report via email.

This simple automation is easy to customize. Run it on a schedule or send the report via email, Slack, or Teams.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Get started with Blink today and see how easy automation can be.