I have a number of IIS web servers behind an App Load Balancer (ALB). The web servers all have self-signed SSL certificate installed and redirect from HTTP to HTTPS using URL rewrite module properly setup:
If I directly access these web servers, HTTP will be redirected to HTTPS.
The protocol used by the target group is HTTPS.The ALB listens on both HTTP and HTTPS. It has a SSL certificate on "www.mysite.com".
However, when I tried to access the ALB using HTTP, it is not redirected to HTTPS. Now that the servers does redirect properly, why doesn't the ALB?
It's now possible to directly do some redirection in any ALB rule, see related AWS announcement.
To unconditionally redirect all queries from HTTP to HTTPS, you have to configure the HTTP listener with only the default rule/action to permanently redirect (301) all request with the same host, path and query on the HTTPS port (typically: 443) with the HTTPS protocol:
Assuming that you are running Microsoft Windows in an EC2 instance, and you are using IIS to configure two web sites, siteA and siteB. Set up siteA to bind at port 81 and siteB to bind at port 82.
STEP 1:
In AWS console, select "Target Groups" under "Load Balancing". Create two target groups:
1. siteA-target-group with your web server instance ID and port 81
2. siteB-target-group with your web server instance ID and port 82
Note: you can add more web server instances in the target group for load balancing and failover purposes.
STEP 2:
In AWS ALB, there are two listeners, one for port 80 and one for port 443.
For HTTP (80), add 2 rules:
1. if host is siteA.com, redirect to
https://#{host}:443/#{path}?#{query}
2. if host is siteB.com, redirect to
https://#{host}:443/#{path}?#{query}
For HTTPS (443), add 2 rules:
1. if host is siteA.com, forward to siteA-target-group
2. if host is siteB.com, forward to siteB-target-group
STEP 3:
On your DNS provider, set up a CNAME for siteA.com to point at the ALB's DNS name. Similarly, set up a CNAME for siteB.com.
When the above setup is completed, test connecting to http://siteA.com or http://siteB.com
i) traffic hits the ALB port 80
ii) host header matches the rule "siteA.com" and redirect traffic to port 443
iii) traffic hits the ALB port 443
iv) host header matches the rule "siteA.com" and forward to target group siteA-target-group
v) siteA-target-group points at port 81 on the web server and the page is served.