[momania]

This is nice, but how about a simpler feature for the ALB: redirect http to https.

[jdub]

Add CloudFront, then your CloudFront-provided TLS termination AND redirect will be much closer to the client.

[bjpbakker]

Redirecting HTTP requests to HTTPS should not be the default thing to do. It introduces vulnerabilities (such as MITM attacks) that are hardly considered in most configurations (from what I've seen around).

The default connection to your web server should be HTTPS, not HTTP. HSTS is an option to set this up properly.

[mseebach]

You should definitely use HSTS, but I think this is about catching those people entering "website.com" in their browser, where the default behaviour (having never visited the site before) is connecting via HTTP. You want those redirected to a HSTS enabled HTTPS connection immediately, and this seems to be a good place to put this functionality?

[bjpbakker]

> catching those people entering "website.com"

When the domain is registered to use HSTS their browser will use a TLS connection the first time they ever connect to your website.

> You want those redirected to a HSTS enabled HTTPS connection immediately

Websites that depend on advertising probably do as they often want to support very old browsers. Otherwise there's no real need for a redirect/connection upgrade IMO.

[nailer]

First time a client connects it'll be HTTP. Then they'll see the HSTS header. Subsequent connections will be HTTPS

[bjpbakker]

That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

[merb]

> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

[orev]

This is one of those things security people say that just does not jibe with reality. Everything in security is a trade off with usability, and not having your site on http, just for a redirect to https, is just completely not feasible.

[lozenge]

Even if you are not listening on port 80, a MITM attack could just pretend to be you and listen on port 80.

[tachion]

This is probably missing because it's dead simple to solve on the application/infrastructure side by sending 302 or even 301 if you don't really miss the HTTP.

For things like that, that are very easily solvable other way I don't expect Amazon to work on them anytime soon, if ever.

[momania]

It's easy to solve in the application, but then I need to have an http and https endpoint in my application, just for this redirect, already behind the ALB. I mean, if they can build in authentication redirects on the load balancer, how hard is it then to add a simple http -> https redirect, so this http traffic never has to 'touch' my application.

[jnsaff2]

Well you don't need to have two listeners, you just need to check "X-Forwarded-Proto" header and if it's not "https" then do the redirect. I think checking that header is a good idea anyway for something sensitive.

Also if you use API GW/CloudFront they would do that for you too.

[vegardx]

I think it's more likely that they want to differentiate LBs and CloudFront, feature wise.

It would make sense to do it in the load balancer, you want to do the redirect as soon as possible. So if you want to do it the correct way you get the option of paying for both ALB and CF.