How to have an AWS ELB forward the actual host name to the target group instead of the ELB's host name?
We have a Ruby/Rails website we're migrating from Heroku to AWS. The original dev is not available. I'm now trying to complete the migration. My background is in the Windows / .NET world. This Linux / Ruby/Rails environment is quite foreign to me...
Here's the current environment I've set-up:
Route 53
| Record Name | Record Type | Alias | Alias Route Traffic To |
|---|---|---|---|
| foo.example.com | A | yes | cloudfront: xyz.cloudfront.net |
CloudFront
| Domain Name | Alternate Domain Names | Origin Domain | Origin Protocol | Behavior Protocol |
|---|---|---|---|---|
| xyz.cloudfront.net | foo.example.com | foo.us-west-2.elb.amazonaws.com | HTTP only | Redirect HTTP to HTTPS |
The CloudFront distribution:
- uses an AWS issued SSL cert
- handles the http to https redirect
- forwards the request to the ELB over http (not https)
Load Balancer
| DNS Name | Listener Rule | Forward To |
|---|---|---|
| foo.us-west-2.elb.amazonaws.com | HTTP 80: default action | Target Group: foo-ec2 |
Target Group: foo-ec2 contains a single Ubuntu ec2 instance running nginx/1.18.0 + Phusion Passenger 6.0.10 to serve up the Ruby/Rails site.
nginx config
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL Config - we should NEVER receive 443/https traffic;
# CloudFront manages https traffic => AWS ELB => http to this server
#listen 443 ssl default_server;
#listen [::]:443 ssl default_server;
server_name foo.example.com
foo.us-west-2.elb.amazonaws.com;
# Tell Nginx and Passenger where the app's 'public' directory is
root /var/www/foo_example/public;
# Turn on Passenger
passenger_enabled on;
passenger_app_env production;
passenger_ruby /home/ubuntu/.rbenv/versions/2.6.8/bin/ruby;
}
Issue
The rails app starts up without error and is served over https. However, when a user attempts to log in / authenticate, the Devise gem sends back a redirect using http and the ELB's DNS name.
Example
sign_in request
Request URL: https://foo.example.com/users/sign_in
Request Method: POST
Status Code: 302
sign_in response
location: http://foo.us-west-2.elb.amazonaws.com/users
server: nginx/1.18.0 + Phusion Passenger(R) 6.0.10
status: 302 Found
Notice the request was over https and our domain:
https://foo.example.com
But now we're over http and the ELB's domain:
http://foo.us-west-2.elb.amazonaws.com
My assumption
The devise gem is seeing the host from the ELB and then generates the URL from the ELB host, creating two issues:
- we are now on http since the ELB communicates with the ec2 instance over http
- we are now on the ELB's host name, foo.us-west-2.elb.amazonaws.com, instead of our name, foo.example.com
I've looked into the devise documentation to see if we can just pass in the http protocol and domain to use when creating the post back, but my ruby knowledge is limited. Plus, I think this would be the "bad" path; where the "good" path would be to have the AWS ELB forward the actual domain name, instead of it's own.
I've reviewed several SO and related stack sites with similar questions, but I've either ended up with an infinite loop redirect, or the various config changes have resulted in the same behavior of the devise gem creating the wrong URL post back.
These two questions seem to be the closest, but I'm not quite able to make the "connection" between the answers and my limited knowledge of this ecosystem.
- AWS Cloudfront + Load Balancer, url changes from main domain to load balancer subdomain
- cloudfront domain replaced by application load balancer dns name when redirecting from http to https
Question
How can I get the AWS ELB to forward our domain, foo.example.com, to the ec2 target group and not the ELB's domain?
After more experimentation with AWS settings, the solution is actually rather simple. The other answers I posted in the question were vague in the actual settings, so here's the concrete solution.
In CloudFront, you need to create a new origin request policy, not a cache policy:
- Open up CloudFront
- go to Policies (left nav)
- click the "Origin Request" tab
- click the "create origin request policy" button
- name the policy whatever you want, i.e., "my origin request policy"
- under "Origin request settings" > Headers: select "Include the following headers"
- under "Add header": check the "Host" option
- click the "Create" button
The policy will look like this:
Once the new origin request policy has been created:
- head back to the CloudFront distributions
- click your distribution's Id so you can edit it
- click the "Behaviors" tab
- select your behavior and edit
- scroll down to "Cache key and origin requests"
- make sure the "Cache policy and origin request policy (recommended)" is selected
- under the "Origin request policy - optional", select your new policy, i.e., "my origin request policy"
- save changes
The behavior will look like this (I'm using no caching for now to verify the ec2 instance is getting all the requests):
That's it. The host header is now correctly passed through to the ELB and ec2 instance. Nothing else needs to be done with the ELB.
I verified the host header was being used in all requests by modifying the nginx logging option to include the $host variable in the log file (and did a bit more customization to the OOB format):
# prefixed log with '[my-log]', but it's not needed; remove.
log_format my-log '[my-log] $http_x_forwarded_for - $remote_user [$time_local] '
'"$request_method $scheme://$host$request_uri $server_protocol" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL Config - we should NEVER receive 443/https traffic;
# CloudFront manages https traffic => AWS ELB => http to this server
#listen 443 ssl default_server;
#listen [::]:443 ssl default_server;
server_name foo.example.com
foo.us-west-2.elb.amazonaws.com;
# create the our log file
access_log /var/log/nginx/my-log.access.log my-log;
# Tell Nginx and Passenger where the app's 'public' directory is
root /var/www/foo_example/public;
# Turn on Passenger
passenger_enabled on;
passenger_app_env production;
passenger_ruby /home/ubuntu/.rbenv/versions/2.6.8/bin/ruby;
}
Surely this will help future me as well as others.
- How can I disable Hotwire / Turbo (the Turbolinks replacement) for all forms in a Rails application?
- RSpec Stubbing out Date.today in order to test a method
- How to specify a prefix when uploading to S3 using activestorage's direct upload?
- Duration between two dates in Ruby (Rails)
- CMS for ecommerce website in rails
- Ruby gsub capturing groups
- Can I switch to Amazon S3 later in Rails 7 after using local storage?
- Rails 7/StimulusJS relative import: working on dev, but not production
- Rails: ActiveSupport::MessageEncryptor::InvalidMessage
- How can I unlock my gemfile so I can access the rails server?
- What do I pass to schema_migration in ActiveRecord::MigrationContext#new
- How do I stop Routing Errors errors from causing all sorts of warning?
- Where do you put your Rack middleware files and requires?
- How to prevent the <p> tag from wrapping around my input with tinymce in Rails?
- Clickable Table Rows in Ruby on Rails
- How to determine if one array contains all elements of another array
- Adding page-specific CSS to Rails Asset Pipeline
- Rails 7.1, log to STDOUT and log/production.log
- Add custom fields to object in ROR application
- Hit web endpoints behind Devise authentication with non-browser request in a Rails app
- How to revert/undo local changes to an Activerecord object?
- Disabling GraphQL introspection requests on production
- carrierwave png thumbnails from svg upload
- When rails app create database and collection when using MongoDb?
- Sidekiq sending jobs to test queue instead of developement queue
- rails assert_difference without specific difference value
- How best to propogate an `admin` status to children using Rails and Ancestry
- Rails minitest + authlogic cannot authenticate
- How does bundler work (in general)?
- `belongs_to` and `before_create` order in Rails