Recently found myself in the position of having to set up an AWS Elastic Load Balancer (ELB) in front of our EC2 instance that is running Windows Server 2012R2. This means the server is running IIS v8.5. Normally this would not be a problem except that we wanted to run SSL on the load balanced site and continue to force non-SSL traffic to use the SSL version.

Normally this is a no-brainer and there are plenty of example URL Rewrites out there on the Interwebs that will handle this but the challenge is if you want Health Checks in ELB to work properly against a REAL LIVE web page. ELB will send a HTTP GET request to any page I wanted on the site. I found numerous example that purported to resolve the problem but none of them seemed to do the job, or they redirected the ELB health check or they just flat out 5xx errored out.

So, in order to resolve this problem I crafted the following workaround:

1. Create a site in IIS that does nothing but redirect traffic (permanent or 301) around to the target url. The web.config (only file in the site) is as follows:<?xml version=”1.0″ encoding=”UTF-8″?>
   <configuration>
   <system.webServer>
   <httpRedirect enabled=”true” destination=”https://TARGETSITE.com” exactDestination=”false” />
   </system.webServer>
   <system.web>
   <customErrors mode=”RemoteOnly” redirectMode=”ResponseRewrite”> </customErrors>
   </system.web>
   </configuration>
2. Set the bindings for this site to accept only traffic for the following:
   1. http traffic with a Host Name of www.TARGETSITE.com with a port of 80 and the IP address (the inside/private address) for this server
   2. http traffic with no Host Name and a port of 88 and the IP address of this server (the inside/private address)
3. Ensure that Windows Firewall (if you are using it) will accept TCP traffic on port 88
4. Add an exception for port 88 to your Security Group that this server uses, allowing traffic from anywhere
5. Configure your ELB instance with the following listeners:
   1. HTTPS for LB protocol, 443 for LB port, HTTP for instance protocol, 80 for instance port and the SSL certificate for TARGETSITE.com
   2. HTTP for LB protocol, 80 for LB port, HTTP for instance protocol, 88 for instance port and N/A for Ciper and SSL
      
6. Configure your ELB instance so that the Health Check uses an HTTP request to port 80 to the page ( /default.aspx ) of your choice.
7. Configure bindings on your TARGETSITE.com site in IIS so that it accepts HTTP traffic on port 80.

That should about do it. I’ll assume that you’ve already gotten your SSL certificate installed on your ELB instance

Caveats – Test this out first on a non-live environment as your results may vary. Also, the redirect site is NOT being load balanced at this point so you won’t have any fail over capability unless you set up an ELB just for this purpose. Not a bad idea really…