The configuration as described in the question didn't work because it created a never ending redirection: 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB), etc.
So, I modified the ELB configuration to have:
- 443 (HTTPS) forwarding to 443 (HTTPS)
- 80 (HTTP) forwarding to 80 (HTTP)
When I created the listener 443 (HTTPS) forwarding to 443 (HTTPS), I didn't get to answer questions concerning the authentication. When I look on the ELB description I can see "Backend Authentication: Disabled"
The Health Check is done on HTTPS:443
(I also modified the instance security group: only the load balancer can access the instance on ports 80 and 443)
Update:
Another solution is to have only port 80 open on the instance:
- 80 (HTTP) forwarding to 80 (HTTP)
- 443 (HTTPS) forwarding to 80 (HTTP)
but to use X-Forwarded-Proto to determine if the client used HTTP or HTTPS and forward to HTTPS only if X-Forwarded-Proto = http
Example with Apache:
<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
...
</VirtualHost>
The line RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
has been added so the ELB check is not redirected. See https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir for other solutions concerning the health check
AWS Documentation concerning X-Forwarded-Proto: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto