How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS

Goal: Provide a static IP address to update root domain DNS settings to redirect to a subdomain protected by our Web Application Firewall, typically "www.".

Overview:

Setup a Network Load Balancer (NLB) with two static IPs:

  • Static_IP_1 (e.g., 192.0.2.10)

  • Static_IP_2 (e.g., 192.0.2.20)

The NLB redirects the traffic to ALB

This guide will walk you through obtaining a certificate for your root domain, configuring an Application Load Balancer (ALB) rule for the redirect, and verifying the setup.

Step 1: Request a Certificate for the Root Domain

  1. Navigate to AWS Certificate Manager (ACM).

  2. Request a new certificate for your root domain (e.g., example.com).

    1. Click on "Request a certificate", then select "Request a public certificate" and follow the prompts.

    2. For Domain name, enter your root domain.

    3. Choose DNS validation for the validation method.

  3. Find your Validation Challenge: Add the DNS validation record provided by ACM to your DNS configuration to complete the validation process. (CNAME name and CNAME value). You can find this in ACM -> Certificates -> <your certificate> :

  4. Wait until the Certificate is Validate It may take some time for DNS changes to propagate and for ACM to validate the certificate. Monitor the certificate status in ACM.

Step 2: Add a Rule in the ALB

  1. Navigate to your ALB in the EC2 Management Console.

  2. Select the listener that handles incoming requests for your domain.

  3. Add a new rule to redirect requests from the root domain to the subdomain.

    1. Condition: host header match to your root domain

    2. Action: Redirect to the subdomain with appropriate protocol (HTTP or HTTPS), port and path.

Step 3: Add certificate

In the ALB screen click on certificates tab and then add certificate:

Then find the certificate you have added in step 1.

Step 4: Add Relevant Tags in Rule

  • Tagging rules can help with organization and billing. Add any relevant tags as per your organization's tagging strategy.

  • add the relevant tags as the other rules

Step 5: Test

To test the redirect, use the following curl commands:

  • curl --resolve example.com:443:Static_IP_1 https://example.com -v

  • curl --resolve example.com:443:Static_IP_2 https://example.com -v

Replace example.com with your actual root domain and Static_IP_1 and Static_IP_2 with the static IP addresses of your Network Load Balancer (e.g., 192.0.2.10 and 192.0.2.20).

The expected result is a 301 redirect response pointing to the subdomain.

PreviousCertificate Validation Failed: Adjusting CAA RecordNextHow To: Extend Connection Timeout to Upstream

Last updated

Was this helpful?