So I've finally been able to successfully create a https website. It is just running the template ASP.NET web project. I have a certificate, and this is added to the ELB (Elastic Load Balancer - classic) in AWS. My environment works in that I can browse to https://www.mvc.cloudy-skies.org and it is secure. That's awesome! However, two issues remain:

1 - you can still just browse to http:// and it works. Not ideal. 2 - I have Azure AD authentication via OWIN middleware. This works great, but despite specifying HTTPS in the redirect URL after sign in, I am redirected back to the HTTP version of the site.

Can anyone help here please? I'm at a loss. This is how I have the listeners configured on the Elastic Beanstalk environment (Load Balancer)

I have tried adding redirects into the Web.Config (e.g.)

<!--<rewrite>
<rules>
<rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" />
    <add input="{REMOTE_HOST}" pattern="localhost" negate="true" />
    <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>-->

However this causes the Elastic Beanstalk deployment to fail on update, due to the fact that the healthcheck fails. I have even tried creating a basic HTML page in the root of the solution and using that for health checks but it still fails. Something about specifying the redirect in the web.config does not play well.

Surely this is really simple to force the user to conform to HTTPS?

I find it best to add a CloudFront Distribution, with "Redirect HTTP to HTTPS" set. CloudFront terminates the TLS session with your cert, then talks to your Elastic Beanstalk's ELB using http, though public internet users are automatically redirected to the HTTPS endpoint.

This can be achieved following these steps:

1. Go to CloudFront > Create Distribution > Web
2. Select the ELB Origin
3. Select Viewer Policy: Redirect HTTP to HTTPS
4. Select Cache Based on Headers: All (this allows caching per user, though you may want to refine this later)
5. Object Caching : Customize (disables default caching, review later to optimize)
6. Enter Minimum, Maximum and Default TTL as 0
7. Cookies and QueryString to All
8. Select appropriate Price Class, less regions are cheaper.
9. Alternative Domain Names: add all domain names that you want to be directed at this Distribution
10. Custom SSL Certificate (this needs to be a certificate in us-east-1 with all the domain names entered above as alternative names.
11. Once the Distribution has been created, you need to update your DNS CNAME to point to the ___.cloudfront.net address that you are given.