IIS, AWS ELB and SSL – Why can’t we all just get along?

IIS, AWS ELB and SSL – Why can’t we all just get along?

IIS, AWS ELB and SSL – Why can’t we all just get along?

Recently found myself in the position of having to set up an AWS Elastic Load Balancer (ELB) in front of our EC2 instance that is running Windows Server 2012R2. This means the server is running IIS v8.5. Normally this would not be a problem except that we wanted to run SSL on the load balanced site and continue to force non-SSL traffic to use the SSL version.

Normally this is a no-brainer and there are plenty of example URL Rewrites out there on the Interwebs that will handle this but the challenge is if you want Health Checks in ELB to work properly against a REAL LIVE web page. ELB will send a HTTP GET request to any page I wanted on the site. I found numerous example that purported to resolve the problem but none of them seemed to do the job, or they redirected the ELB health check or they just flat out 5xx errored out.

So, in order to resolve this problem I crafted the following workaround:

  1. Create a site in IIS that does nothing but redirect traffic (permanent or 301) around to the target url. The web.config (only file in the site) is as follows:<?xml version=”1.0″ encoding=”UTF-8″?>
    <httpRedirect enabled=”true” destination=”https://TARGETSITE.com” exactDestination=”false” />
    <customErrors mode=”RemoteOnly” redirectMode=”ResponseRewrite”> </customErrors>
  2. Set the bindings for this site to accept only traffic for the following:
    1. http traffic with a Host Name of www.TARGETSITE.com with a port of 80 and the IP address (the inside/private address) for this server
    2. http traffic with no Host Name and a port of 88 and the IP address of this server (the inside/private address)
  3. Ensure that Windows Firewall (if you are using it) will accept TCP traffic on port 88
  4. Add an exception for port 88 to your Security Group that this server uses, allowing traffic from anywhere
  5. Configure your ELB instance with the following listeners:
    1. HTTPS for LB protocol, 443 for LB port, HTTP for instance protocol, 80 for instance port and the SSL certificate for TARGETSITE.com
    2. HTTP for LB protocol, 80 for LB port, HTTP for instance protocol, 88 for instance port and N/A for Ciper and SSL
  6. Configure your ELB instance so that the Health Check uses an HTTP request to port 80 to the page ( /default.aspx ) of your choice.
  7. Configure bindings on your TARGETSITE.com site in IIS so that it accepts HTTP traffic on port 80.

That should about do it. I’ll assume that you’ve already gotten your SSL certificate installed on your ELB instance

Caveats – Test this out first on a non-live environment as your results may vary. Also, the redirect site is NOT being load balanced at this point so you won’t have any fail over capability unless you set up an ELB just for this purpose. Not a bad idea really…

Stalk Me...

Michael Gibbs

I'm a technologist at heart, assisting companies best utilize the Internet to market themselves and sell their products and services online. This includes organizations as large as Google and as small as one or two individuals.
At Over The Top and Exhibit A Communications, I've programmed solutions for Google as well as at least one other company that was later acquired by Google.

I've been CTO of an Internet SaaS company and spent my time pretty evenly between guiding the future technical strategy of the company, architecting software solutions for my dev teams, designing and running a data center to service our clients world-wide as well as being a technical evangalist/sales engineer to our media clients large and small.

I've also been Chief Photographer of the Daily Sun/Post newspaper back when it was a 5-day a week daily newspaper.

I also spent a great many years as a beach lifeguardfor the City of San Clemente as well as Jr. Lifeguard instructor and then as it's program coordinator.
Bragging rights
Private Pilot with Instrument rating and proud husband of soon to be 25 years (and counting).
Stalk Me...

Latest posts by Michael Gibbs (see all)

Leave a Reply