enforcing ssl behind aws load balancer?

Events happening in the community are now at Drupal community events on www.drupal.org.
johnedm's picture
Posted by johnedm on December 28, 2010 at 4:05pm

folks,

i'm using mercury 1.0 ami on a small ec2 instance with an elastic load balancer acting as the ssl endpoint...

i would like to enforce ssl for certain pages... i've tried using the "securepages" module with a slight modification for it to read the x-forwarded-proto value that the ELB adds to the header... this did not work and neither did the normal apache rewrite rules. both seem to be failing because varnish seems to be caching url's without reguard for http or https... so when i go to http://mysite/login it redirects to https://mysite/login, but then mysite/login seems to be cached so the next time i go to http://mysite/login i get the varnish cached page instead of a redirect...

i'm thinking the ultimate solution for my situation might be to ditch securepages and apache rewrite solutions and write something in vcl to directly accomplish what i want... alternately, i could put something into the vcl that would add the proto to the cache key... then i could use the apache rewrite or securepages solution...

any suggestions?

thanks,

john

Categories: ,

Comments

adding proto to header

Posted by johnedm on December 28, 2010 at 5:34pm
johnedm's picture

folks,

in the interest of answering my own question (though i haven't tried it yet)...

it seems i can add the forwarded proto to the hash with:

sub vcl_hash {
if (req.http.Cookie) {
set req.hash += req.http.Cookie;
}

if (req.http.x-forwarded-proto) {
set req.hash += req.http.x-forwarded-proto;
}
}

then, in theory, i could use apache re-write or securepages

i'll let you all know if that works.

john

here is it...

Posted by johnedm on December 29, 2010 at 2:45pm
johnedm's picture

so... thanks to some help from the #varnish irc channel... here is what i did:

as above, i changed /etc/varnish/default.vcl vcl_hash method to:

sub vcl_hash {
  if (req.http.Cookie) {
    set req.hash += req.http.Cookie;
  }
 
  if (req.http.x-forwarded-proto) {
        set req.hash += req.http.x-forwarded-proto;
  }
}

that makes the forwarded proto part of the key meaning that it'll treat https and http requests separately

then i edited the .htaccess file to add the following in the above the clear url rewrite code:

  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^login https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^user(.)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^admin(.)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

  # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

please let me know if i'm doin something stupid here...

john

Is this the most efficient

Posted by cookiesunshinex on February 4, 2011 at 4:28am
cookiesunshinex's picture

Is this the most efficient way to enforce SSL for all traffic?

I would like to automatically re-direct all requests to https.

Symetrik Design
Drupal Consulting
http://www.symetrkdesign.com

Mercury

Group organizers

Group categories

Post Type

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: