I guess you can use AWS ALB (Application Load Balancer) to force HTTPS or redirect with/without www. This is not particularly difficult to do and there is plenty of information about it out there, but the ALB is a bit cheaper and is usually the one to use.

Cases where ALB cannot be used (Route53 cannot be used)

However, there are some cases where ALB cannot be used: when the NS (Name Server) cannot be set to Route53. If you set up DNS other than Route53, you have no choice but to use CNAME for routing to ALB. But, for example, if you set up a web server with the domain aaa.com and www.aaa.comで運用したい場合 (rewrite from no www to www), you can’t set CNAME for “aaa.com”. That’s why I can’t point my domain (aaa.com) to ALB.

In such cases, NLB (Network Load Balancer) can be used to achieve redirection. Since there is not much information on this NLB, I will introduce it here. For your information, this time I will introduce the case of redirecting to “SSL communication with www”.

SSL communication with NLB and Nginx

In the NLB, you can set a static IP address for the load balancer. Therefore, you can set up DNS with or without www with A record and point it to the NLB. Moreover, the AWS ACM allows you to set up SSL certificates for easy https communication. Here is an image.

And since the web server side receives it on port 80, Nginx should redirect HTTP communication to HTTPS communication, not load balancer. If you Google it, you can often find the following conf settings.

if ($http_x_forwarded_proto != https){
   return 301 https://$host$request_uri;
}

But that’s the way it’s written for ALB, and it doesn’t work for NLB!

Redirect HTTP to HTTPS with NLB+Nginx

I did some research and found the following solution. The same method can be used for Apache.

1. Allow 80 and 8080 to be inbound in the security group set up on EC2.

2. Create two target groups, one for EC2 listening on port 80 and one for EC2 listening on port 8080.

3. In the NLB listener, set [443] to [80 target] and [80] to [8080 target].

4. In Nginx’s conf, set port 8080 as follows.

server {
     listen 8080;
     server_name _;
     root /usr/share/nginx/html;

     if ($http_user_agent !~* ELB-HealthChecker){
         return 301 https://$host$request_uri;
     }
}

This will allow HTTP (80) communication to the NLB to flow to port 8080 of Nginx and force a redirect to 443. At this time, we can return 200 only during the health check of the LB.

Redirecting with and without www can be done in the normal way

With nginx, you can do the following as usual.

server {
    listen       80;
    server_name  aaa.com;
    return       301 $scheme://www.aaa.com$request_uri;
}

Conclusion

A case like this would be, for example, when a customer acquires a domain name from Name.com, and since the MX record for the email address has already been set up, the customer does not want to transfer the name server to Route53. There is also a case where an uncle who dislikes AWS is in charge, and he claims that he doesn’t want to use AWS at least for NS.

Introducing the case of using NLB when ALB+Route53 can do it easily.