Setting up an HTTP-to-HTTPS redirect for regional external HTTP(S) load balancers

This page is for regional external HTTP(S) load balancer only. If you are using a load balancer in a different mode, see one of the following pages:

This example demonstrates how to use URL redirects to redirect all requests from port 80 (HTTP) to port 443 (HTTPS).

HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, making it safer and more secure. A website that uses HTTPS has https:// in the beginning of its URL instead of http://.

Use the instructions from the Compute Engine backend guide to complete this setup.

This procedure assumes that you already have an external HTTPS load balancer that is serving HTTPS traffic on port 443.

For existing load balancers

If you already have an external HTTPS load balancer (called here LB1) that is serving HTTPS traffic on port 443, you must create a partial external HTTP load balancer (called here LB2) with the following setup:

  • The same frontend IP address used by LB1
  • A redirect configured in the URL map

This partial HTTP load balancer uses the same IP address as your HTTPS load balancer and redirects HTTP requests to your load balancer's HTTPS frontend.

This architecture is shown in the following diagram.

HTTP-to-HTTPS redirect configuration (click to enlarge)
HTTP-to-HTTPS redirect configuration

Redirecting traffic to your HTTPS load balancer

After you have verified that your external HTTPS load balancer (LB1) is working, you can create the partial external HTTP load balancer (LB2) with its frontend configured to redirect traffic to LB1.

This example uses the 301 response code. You can instead use a different response code.

To configure the redirect with gcloud, you must import a YAML file and make sure that your target HTTP proxy points to the URL map that redirects traffic. If you're using the Cloud Console, this is handled for you.

Regional external HTTP(S) load balancers aren't supported in the Cloud Console.

gcloud

  1. Create a YAML file /tmp/web-map-http.yaml. This example uses MOVED_PERMANENTLY_DEFAULT as the response code.
  2.        kind: compute#urlMap
           name: web-map-http
           defaultUrlRedirect:
             redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
             httpsRedirect: True
           tests:
           - description: Test with no query parameters
             host: example.com
             path: /test/
             expectedOutputUrl: https://example.com/test/
             expectedRedirectResponseCode: 301
           - description: Test with query parameters
             host: example.com
             path: /test/?parameter1=value1&parameter2=value2
             expectedOutputUrl: https://example.com/test/?parameter1=value1&parameter2=value2
             expectedRedirectResponseCode: 301
           
  3. Create the HTTP load balancer's URL map by importing the YAML file. The name for this URL map is web-map-http.
  4.        gcloud beta compute url-maps import web-map-http \
               --source /tmp/web-map-http.yaml \
               --region=REGION
           

    If you are updating an existing URL map, the following prompt appears:

           Url Map [web-map-http] will be overwritten.
    
           Do you want to continue (Y/n)?
           

    To continue, press Y.

  5. Verify that the URL map is updated. Your HTTP load balancer's URL map should look something like this:
  6.        gcloud beta compute url-maps describe web-map-http \
               --region=REGION
           
           creationTimestamp: '2020-03-23T10:53:44.976-07:00'
           defaultUrlRedirect:
             httpsRedirect: true
             redirectResponseCode: MOVED_PERMANENTLY_DEFAULT
           fingerprint: 3A5N_RLrED8=
           id: '2020316695093397831'
           kind: compute#urlMap
           name: web-map-http
           selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/urlMaps/web-map-http
           
  7. Create a new target HTTP proxy or update an existing target HTTP proxy, using web-map-http as the URL map.
  8.        gcloud beta compute target-http-proxies create http-lb-proxy \
               --url-map=web-map-http \
               --region=REGION
           
    OR
            gcloud beta compute target-http-proxies update http-lb-proxy \
               --url-map=web-map-http \
               --region=REGION
           
  9. Create a forwarding rule to route incoming requests to the proxy. The --address flag specifies lb-ipv4-1, which is the same IP address used for the external HTTPS load balancer.
  10.        gcloud beta compute forwarding-rules create http-content-rule \
               --load-balancing-scheme=EXTERNAL_MANAGED \
               --address=lb-ipv4-1 \
               --network-tier=STANDARD \
               --region=REGION \
               --target-http-proxy=http-lb-proxy \
               --target-http-proxy-region=REGION \
               --ports=80
           

Testing the HTTP-to-HTTPS redirect

Note the reserved IP address that you are using for both load balancers.

gcloud compute addresses describe lb-ipv4-1 \
    --format="get(address)" \
    --region=REGION

In this example, assume that the reserved IP address is 34.98.77.106. The http://34.98.77.106/ URL redirects to https://34.98.77.106/.

After a few minutes have passed, you can test this by running the following curl command.

curl -v http://hostname.com

Sample output:

* Connected to 34.98.77.106 (34.98.77.106) port 80 (#0)
> GET / HTTP/1.1
> Host: hostname.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Referrer-Policy: no-referrer
< Location: https://hostname.com
< Content-Length: 220
< Date: Fri, 30 Jul 2021 21:32:25 GMT
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://hostname.com">here</A>.
</BODY></HTML>
* Connection #0 to host hostname.com left intact

What's next