How to Configure HTTP to HTTPS Redirect on AWS ALB for HIPAA Compliance


2 views

When implementing HIPAA-compliant systems on AWS, encrypting all client connections is non-negotiable. While terminating SSL at the Application Load Balancer (ALB) is common, many engineers overlook the crucial HTTP-to-HTTPS redirection layer that prevents unencrypted access attempts.

The solution lies in properly configuring ALB listeners. You'll need two listeners:

1. HTTP listener on port 80
2. HTTPS listener on port 443

The magic happens when you add a redirect rule to the HTTP listener:

Using AWS Management Console:

  1. Navigate to EC2 > Load Balancers
  2. Select your ALB and choose "Listeners" tab
  3. If not existing, add a listener for HTTP port 80
  4. Click "Add action" and select "Redirect to..."
  5. Configure as follows: 
    Protocol: HTTPS
Port: 443
Host: #{host}
Path: #{path}
Query: #{query}
Status code: HTTP 301

For infrastructure-as-code deployments:

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.example.arn
  port              = 80
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

For AWS-native templating:

HTTPListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    LoadBalancerArn: !Ref ApplicationLoadBalancer
    Port: 80
    Protocol: HTTP
    DefaultActions:
    - Type: redirect
      RedirectConfig:
        Protocol: HTTPS
        Port: 443
        StatusCode: HTTP_301
        Host: "#{host}"
        Path: "#{path}"
        Query: "#{query}"

After implementation, verify with:

curl -v http://your-alb-dns-name.com
# Should return 301 with Location header pointing to HTTPS

Ensure your ALB security group allows both inbound:

- TCP 80 (HTTP)
- TCP 443 (HTTPS)

When clients access your website through an Application Load Balancer (ALB), the connection flow typically looks like this:

Client → (HTTP/HTTPS) → ALB → (HTTPS) → EC2 Instances

The HIPAA compliance requirement means we need encryption throughout this entire chain. While your backend servers already enforce HTTPS, we need to handle the client-ALB connection properly.

The solution lies in configuring ALB listeners correctly. Here's the proper setup:

  1. Create an HTTPS listener on port 443 with your SSL certificate
  2. Create an HTTP listener on port 80
  3. Configure the HTTP listener to redirect to HTTPS

Here's how to set this up in the AWS Management Console:

1. Navigate to EC2 → Load Balancers
2. Select your ALB and go to the "Listeners" tab
3. If not existing, add a listener:
   - Protocol: HTTPS
   - Port: 443
   - Default action: Forward to your target group
4. Edit the HTTP listener (port 80):
   - Change action type to "Redirect to HTTPS"
   - Set status code to HTTP 301 (permanent redirect)
   - Specify port 443
   - Keep other fields as default

For infrastructure-as-code users, here's a Terraform example:

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.main.arn
  port              = 80
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.main.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  certificate_arn   = aws_acm_certificate_validation.cert.certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.main.arn
  }
}

For CloudFormation users:

HTTPListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    LoadBalancerArn: !Ref ApplicationLoadBalancer
    Port: 80
    Protocol: HTTP
    DefaultActions:
      - Type: redirect
        RedirectConfig:
          Protocol: HTTPS
          Port: 443
          StatusCode: HTTP_301

HTTPSListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    LoadBalancerArn: !Ref ApplicationLoadBalancer
    Port: 443
    Protocol: HTTPS
    Certificates:
      - CertificateArn: !Ref SSLCertificate
    DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref TargetGroup

After implementation, verify the setup:

curl -I http://yourdomain.com
# Should return:
# HTTP/1.1 301 Moved Permanently
# Location: https://yourdomain.com/

Additionally, check your SSL Labs score to ensure proper configuration of your HTTPS listener.

For HIPAA compliance, consider these extra measures:

  • Use TLS 1.2 or higher (disable older protocols)
  • Implement security headers (HSTS, CSP)
  • Enable access logs for audit purposes
  • Consider using AWS WAF for additional protection