[coldbox-3.8.1] SSL redirect behind AWS load balancer

Hi all,
I’m not very experienced with Coldbox so please bear with me :slight_smile:

I’m running Coldbox 3.8.1 behind an AWS load balancer. The SSL connection is terminated at the load balancer so the connections come into the server as http.
I now want to force connections to be https.
Redirecting it on the IIS level does not work, it results in an infinite redirect loop, probably because connections come in as http.

I realised I can check
and check if it matches ‘http’ (this indicates that we’re behind a load balancer and the connection was http)
and if it is true then redirect to https.

I tried this
cfheader name=“Location” value=“https://www.domain.com#CGI.SCRIPT_NAME#

This works in regards to the http to https but I am having trouble to implement this for some of my routes (one of which is the main one where I need this to work).

Basically a URL such as domain.com/ROOMID on my site will (if no folder or file called ROOMID exists) invoke the rooms handler and run the index action.
ROOMID is basically acts as a GET URL parameter.
Because the rooms index handler gets invoked it means that #CGI.SCRIPT_NAME#" always evaluates to index.cfm and the https redirect goes to domain.com/index.cfm

What I am trying to achieve is that a URL such as http://www.domain.com/ROOMID gets redirected to https://www.domain.com/ROOMID

I hope this makes sense. Any help would be hugely appreciated.



We’ve already done the logic of figuring out of the request is SSL. Just use event.isSSL() That will look at all those headers for you!

I would recommend doing your HTTP → HTTPS redirect as a rewrite rule before it even hits ColdFusion. Then you can just redirect BEFORE you process your index.cfm rewrite rule. If you want to do the redirect from CFML, you’ll just have to massage the URL to remove the index.cfm again. ColdFusion doesn’t even realize that the request is being rewritten.

Many thanks, this sounds like what I need.

Would you be able to provide an example by any chance? I’m not sure how to use event.isSSL() or where to add that check.

I tried to do it in IIS using a URL Rewrite rule but it infinitely redirects, presumably because the web server always sees http even if the original request to the load balancer was https.

I’m also confused about this:

If you want to do the redirect from CFML, you’ll just have to massage the URL to remove the index.cfm again. ColdFusion doesn’t even realize that the request is being rewritten.

What would this look like if I used my existing check

and redirect
cfheader name=“Location” value=“https://www.domain.com#CGI.SCRIPT_NAME#

If I strip index.cfm from it then how do I access the initial ROOMID parameter?

Sorry if this is trivial, unfortunately I don’t work in CF very often…



This is an IIS rule to force HTTP to HTTPS.



Also see:

That should solve your problem. You don’t need to use cfheader.

However, to satisfy your questions:
Instead of using cfheader, you can use event.isSSL() to see if incoming request is in HTTPS. You use event.isSSL() in handlers (or interceptors – not sure if supported in CB v.3.8.1).
If you use ColdBox SES, check this out: https://coldbox.ortusbooks.com/content/full/routing/

That’s helpful, thanks.
However I don’t have any luck with the IIS rewrite rule, I end up in an infinite redirect loop. Not figured out why that is yet…

Thanks again.