How do I avoid a redirection loop when I place a load balancer in front of a Lightsail instance?

Short description

Example scenario

You used the Bitnami HTTPS configuration tool bncert to configure redirection on your Lightsail WordPress instance. The instance redirects from HTTP to HTTPS and from a non-www domain to a www domain. You configured DNS so that the domain names (example.com and www.example.com) point to the Lightsail instance's IP address, as shown in the following example:

http://example.com > Lightsail instance > https://example.com > Lightsail instance > 200 OK

You configured an Application Load Balancer in front of this instance and pointed the domain to the Application Load Balancer. This setup creates a redirection loop because Lightsail instances always receive requests on HTTP port 80 and redirect to https://example.com.

example.com > http://xyz.ap-south-1.elb.amazonaws.com > http://your_lightsail_IP_address > https://example.com > https://xyz.ap-south-1.elb.amazonaws.com > http://your_lightsail_IP_address

Resolution

Lightsail load balancers

To avoid a redirection loop, use only non-www to www redirection on the instance. Perform HTTP to HTTPS redirection on the Lightsail load balancer.

Step 1: Reconfigure bncert

1.    To use the bncert tool, run the following command:

sudo /opt/bitnami/bncert-tool

2.    For Enter your primary domain name and alternate domain name, enter a domain that already points to the Lightsail instance. Also, enter a www subdomain of this domain.

3.    For Enable HTTP to HTTPS redirection, choose N. This turns off HTTP to HTTPS redirection.

4.    For Enable non-www to www redirection, choose Y.

5.    For Enable www to non-www redirection, choose N.

6.    Review the changes, enter Y, and then press Enter.

For more information, see Step 5: Turn on HTTPS on your WordPress instance in the Amazon Lightsail documentation.

Step 2. Create a Lightsail load balancer with redirection from HTTP to HTTPS

1.    Create a Lightsail load balancer, and then attach your instance to it.

2.    Create an SSL/TLS certificate for example.com and www.example.com. Replace the domain and subdomain names with the names of your domain and subdomain.

3.    To turn on the TLS listener, attach the SSL/TLS certificate to the Lightsail load balancer.

4.    In the Protocol section of the Lightsail load balancer, toggle the direction option to turn on HTTP to HTTPS redirection.

Now, the Lightsail load balancer's DNS name redirects to the load balancer's www subdomain.

Step 3: Update DNS

In the DNS configuration, point example.com and www.example.com to the Lightsail load balancer's DNS name.

Application Load Balancers

For Application Load Balancers in front of the Lightsail instance, keep HTTP to HTTPS redirection only on the Lightsail instance.

1.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

2.    Under Load balancing, choose Target groups.

3,    Choose Create target groups.

4.    Create target groups for ports 80 and 443 that are named tg-80 and tg-443.

5.    For the Target type, choose IP.

6.    For Register targets, Network, choose Other private IP, and then specify the Lightsail instance's IP address.

7.    Create an Application Load Balancer. Create a route listener on Port 80 to target group tg-80 and a listener on Port 443 to target group tg-443.

8.    Update the DNS record for example.com and www.example.com to point to the Application Load Balancer's DNS name.

With this configuration, the Application Load Balancer forwards HTTPS requests to Amazon Lightsail on HTTPS. So, you receive a 200 OK response.