AEM redirects back to http when accessed through SSL/TLS terminated Load Balancer
This article discusses the Experience Manager issue where you are redirected from https to http when trying to access it through an SSL terminated Load Balancer (or SSL terminated CDN).
Description description
Environment
Experience Manager
Issues/Symptoms
When accessing AEM through an SSL terminated Load Balancer (or SSL terminated CDN), then AEM redirects back from https to http.
SSL termination at the load balancer means that the SSL certificates are installed in the load balancer. The end user accesses the site through https://, and the Dispatcher/Web Server and AEM are accessed on the back end with http://.
Resolution resolution
To fix the issue:
I.Update Dispatcher /clientheaders configuration
Refer to the documentation of your load balancer to find out which header it sets to notify downstream systems that it terminated SSL. For simplicity, in these steps we assume that the correct HTTP header is “X-Forwarded-Proto: https”
- Log in to the dispatcher server.
- Open the dispatcher farm .any configuration.
- Add the header to the /clientheaders section.
If you are using dispatcher without a load balancer or if your load balancer or proxy fails to set the X-Forwarded-Proto header, then you can set it at the web server or dispatcher level. If you are using Apache HTTP Server, then update your HTTPS VirtualHost with this directive:
RequestHeader
set
X-Forwarded-Proto
"https"
II. Update the Header Configurations:
- Go to
http://host:port/system/console/configMgr/org.apache.felix.http.sslfilter.SslFilter
, and log in as administrator. - Set SSL forward header to X-Forwarded-Proto.
- Set SSL forward value to https.
- Click Save.
Note:
There is no standard for reverse proxy headers that tell the back end which protocol is used. However, here are some that are known:
- Amazon ELB (Elastic Load Balancer) uses the “X-Forwarded-Proto: https” header.
- Amazon Cloudfront CDN uses “X-Cloudfront-Proto: https” header.
III. Update the Jetty OSGi Configuration (AEM 6.3 and later versions)
On AEM 6.3 and later versions, there is an additional configuration required:
- Log in to
http://aem-host:port/system/console/configMgr/org.apache.felix.http.
- Enable the setting Enable Proxy/Load Balancer Connection, and save it.
Cause
Different load balancers send different headers to notify the back end systems that SSL is terminated upstream. For example, Amazon ELB uses the header “X-Forwarded-Proto: https”.