Redirect all HTTP traffic to HTTPS in OCI via Load-Balancer

Recently, I had the requirement to redirect any and all HTTP traffic to HTTPS to all the applications hosted in OCI (Oracle Cloud Infrastructure). In this post, I will take you along the journey to achieve that using OCI LBAAS (Load Balancer As A Service).

URL redirect

If the load-balancer is configured to cater HTTPS requests but HTTP URL redirection is not set up, all HTTP requests will be gracefully rejected, see below:

-bash-4.1$ curl -vvv http://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 80 (#0)
*   Trying <LB_IP_Address>... Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

-bash-4.1$ curl -vvv https://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 443 (#0)
*   Trying <LB_IP_Address>... connected
* Connected to tstapp.itnoesis.com (<LB_IP_Address>) port 443 (#0)
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: tstapp.itnoesis.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Date: Wed, 08 Jun 2022 13:27:53 GMT
< Content-Type: text/html
< Content-Length: 263
< Connection: keep-alive
< Location: https://tstapp.itnoesis.com/

Setup URL redirection

In OCI console, navigate to Networking –> Load Balancers and select the compartment in which the load balancer was created.

Now, Click on the Load balancer name, under “Rule Sets” click on “Create Rule Set”.
Provide a meaningful name to the new rule set. Check the box to “Specify URL Redirect Rules”.
Change the values as below:
Source Path: /
Match Type: Either “Exact Match” or “Force Longest Prefix Match”
Protocol: from {protocol} to HTTPS
Port: from {port} to 443
Response Code: 302 – Found
and click on Create.

Now that the rule set is in place, let us test again. Same result!!

-bash-4.1$ curl -vvv http://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 80 (#0)
*   Trying <LB_IP_Address>... Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

This is because even if the rule set is in place, it is not do anything unless it is attached to a Listener that too an HTTP listener.

Create Backend Set

Create a backend set that allows HTTP traffic. You can achieve this by unchecking the “Secure” attribute.

Create HTTP listener and attach rule set

Navigate back to the listener resources page and click create an HTTP listener. While hostnames are optional, a backset must be associated.

It is worth noting that the backend set must not have the “Secure” attribute checked otherwise the listener creation will fail.

Once the listener is created, edit the listener and select the rule set that was just created to redirect HTTP traffic.

Now, let us check again. Voila!

curl -vvv http://tstapp.itnoesis.com
*   Trying <LB_IP_Address>...
* TCP_NODELAY set
* Connected to tstapp.itnoesis.com/ (<LB_IP_Address>) port 80 (#0)
> GET / HTTP/1.1
> Host: tstapp.itnoesis.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Date: Fri, 17 Jun 2022 19:35:28 GMT
< Content-Type: text/html
< Content-Length: 263
< Connection: keep-alive
< Set-Cookie: X-Oracle-BMC-LBS-Route=79fdtg54qawedfa24f4etvqaw4tvrdgf0q203e8rfai4; Path=/; HttpOnly
< Location: https://tstapp.itnoesis.com

Does this mean we have to create a combination of HTTPS and HTTP listeners for each and every application that is configured in the load balancer?

No. In a typical setup, the hostnames are configured in DNS with the IP address of the load-balancer. All the hostnames like app1.company.com and app2.company.com would direct traffic to the load-balancer and resolve to the public/ private IP address of the load-balancer.

The load-balancer is intelligent enough to sense which backend set the traffic should be routed to even if the backend set that you attached to the one and only HTTP listener is not related to the hostname or, the URL being accessed. For example, HTTP://app1.company.com and HTTP://app2.company.com both will be re-directed to HTTPS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s