0

  • I have an EC2 running pgadmin.

  • There's a target group pointing to it on port 80.

  • The TG is listening on port 443 but HTTP so it can redirect to the EC2 on port 80. (I previously had it 443 and HTTPs but read online that SSL termination should be here)

  • There's an ELB listening on 443 and pointing to the TG.

If I go to the URL of the ELB I can successfully access pgadmin, although obviously the browser shows a certificate error because the URL isn't the one in the ACM cert associated with the ELB.

I have R53 domain with an alias to the ELB, which matches the ACM cert, but when I go to this URL I get 'too many redirects' in the browser.

Not sure where the config could be wrong, especially as it works from the ELB just not the domain.

Improve this question

1 Answer 1

Reset to default
0

Fairly typical in case of SSL termination is that the back-end server/service will perceive that as: "the end-user is connected over a clear text protocol" , in other words over plain http.

It will then helpfully try to "resolve that security risk" by redirecting the user to HTTPS.

 ------                  ---------------                -------------------
| USER  | ===> HTTP ==> | Load balancer | ==> HTTP ==> | Redirect to HTTPS | 
 ------                  ---------------                -------------------

 ------                   -----------------                -------------------
| USER  | ===> HTTPS ==> | SSL termination | ==> HTTP ==> | Redirect to HTTPS | 
 ------                   -----------------                -------------------

User makes a new request (they were already using HTTPS, but a redirect is a redirect) but they will again be redirected:

 ------                   -----------------                -------------------
| USER  | ===> HTTPS ==> | SSL termination | ==> HTTP ==> | Redirect to HTTPS | 
 ------                   -----------------                -------------------

And then repeat that again and again.

The usual solution is to optionally re-configure the SSL termination point to make HTTPS requests to the back-end server, and remove the redirect to HTTPS functionality from the back-end server and move that to Load Balancer.

 ------                  -------------------  
| USER  | ===> HTTP ==> | Load balancer     | 
 ------                 | Redirect to HTTPS |      
                         -------------------

 ------                   -----------------                   ---------
| USER  | ===> HTTPS ==> | SSL termination | ==> HTTP(S) ==> | Respond | 
 ------                   -----------------                   ---------
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .