Working with AWS, WordPress, and making it all secure.
While I spent a little time with my Home Automation experimentation, I also wanted to get a chip off my shoulder. That chip being that, by default, the AWS WordPress image works off of HTTP instead of something secure. Now, I understand why that is. With all the nuances of a secure setup, AWS would be hard pressed to know in advance how to craft certificates and inject it into the image. I still wanted it secure.
Well, after a number of attempts and some contortions in trying to learn just how the whole image is arranged as, I figured out that through a clever application of an Application Load Balancer, two listeners (HTTP and HTTPS), and some Rewrite rules on the image itself, I could make it redirect properly from the HTTP port to the HTTPS one without fail.
The issues I ran into along the way? Well, one page of advice from Bitnami suggested simply checking to see if HTTPS is on, and if not, having Apache perform a rewrite of the URL and kick back a permanent redirection. Clever, but only works if you’re sitting on a single device and no Load Balancer. If you’re not careful, it causes a redirect loop and the page fails to load. Another page of advice from Amazon themselves suggested making use of the X-Forwarded-For protocol header and rewriting it if it was forwarded using HTTP. In fact, they describe the redirect loop specifically. This loaded the main page properly but caused subsequent components to be requested as HTTP and cause errors due to mixed content. This could’ve been a cache problem, or it could have been an issue with the configuration.
I came to my solution when I thought about how the ELB was configured. From 80 it was forwarding to 80. From 443 it was forwarding to 80. That’s an oops. I mean, it should be fine, but bringing in HTTPS and HTTP onto one port only seemed to be causing my problems. So, I did a quick configuration of a second Target Group, so that I could have the ELB 443 port forward to 443 in the target group. After applying it and using the first page of advice and using a full redirect for any non-HTTPS traffic, I started getting 503 errors. Confused, I looked at my Target Group again and realized.. I forgot to add any targets. Fixed that, tried again and Viola! We are now a fully encrypted site.