Recently, I had the requirement to redirect any and all HTTP traffic to HTTPS to all the applications hosted in OCI (Oracle Cloud Infrastructure). In this post, I will take you along the journey to achieve that using OCI LBAAS (Load Balancer As A Service).
URL redirect
If the load-balancer is configured to cater HTTPS requests but HTTP URL redirection is not set up, all HTTP requests will be gracefully rejected, see below:
-bash-4.1$ curl -vvv http://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 80 (#0)
* Trying <LB_IP_Address>... Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
-bash-4.1$ curl -vvv https://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 443 (#0)
* Trying <LB_IP_Address>... connected
* Connected to tstapp.itnoesis.com (<LB_IP_Address>) port 443 (#0)
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: tstapp.itnoesis.com
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Date: Wed, 08 Jun 2022 13:27:53 GMT
< Content-Type: text/html
< Content-Length: 263
< Connection: keep-alive
< Location: https://tstapp.itnoesis.com/Setup URL redirection
In OCI console, navigate to Networking –> Load Balancers and select the compartment in which the load balancer was created.
Now, Click on the Load balancer name, under “Rule Sets” click on “Create Rule Set”.
Provide a meaningful name to the new rule set. Check the box to “Specify URL Redirect Rules”.
Change the values as below:
Source Path: /
Match Type: Either “Exact Match” or “Force Longest Prefix Match”
Protocol: from {protocol} to HTTPS
Port: from {port} to 443
Response Code: 302 – Found
and click on Create.
Now that the rule set is in place, let us test again. Same result!!
-bash-4.1$ curl -vvv http://tstapp.itnoesis.com/
* About to connect() to tstapp.itnoesis.com port 80 (#0)
* Trying <LB_IP_Address>... Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to hostThis is because even if the rule set is in place, it is not do anything unless it is attached to a Listener that too an HTTP listener.
Create Backend Set
Create a backend set that allows HTTP traffic. You can achieve this by unchecking the “Secure” attribute.
Create HTTP listener and attach rule set
Navigate back to the listener resources page and click create an HTTP listener. While hostnames are optional, a backset must be associated.
It is worth noting that the backend set must not have the “Secure” attribute checked otherwise the listener creation will fail.
Once the listener is created, edit the listener and select the rule set that was just created to redirect HTTP traffic.
Now, let us check again. Voila!
curl -vvv http://tstapp.itnoesis.com
* Trying <LB_IP_Address>...
* TCP_NODELAY set
* Connected to tstapp.itnoesis.com/ (<LB_IP_Address>) port 80 (#0)
> GET / HTTP/1.1
> Host: tstapp.itnoesis.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Date: Fri, 17 Jun 2022 19:35:28 GMT
< Content-Type: text/html
< Content-Length: 263
< Connection: keep-alive
< Set-Cookie: X-Oracle-BMC-LBS-Route=79fdtg54qawedfa24f4etvqaw4tvrdgf0q203e8rfai4; Path=/; HttpOnly
< Location: https://tstapp.itnoesis.comDoes this mean we have to create a combination of HTTPS and HTTP listeners for each and every application that is configured in the load balancer?
No. In a typical setup, the hostnames are configured in DNS with the IP address of the load-balancer. All the hostnames like app1.company.com and app2.company.com would direct traffic to the load-balancer and resolve to the public/ private IP address of the load-balancer.
The load-balancer is intelligent enough to sense which backend set the traffic should be routed to even if the backend set that you attached to the one and only HTTP listener is not related to the hostname or, the URL being accessed. For example, HTTP://app1.company.com and HTTP://app2.company.com both will be re-directed to HTTPS.
IT-Noesis 