Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Possible to prevent Application Load Balancers from routing direct-IP access to target groups?

0

When we all launch ALBs, they can be resolved by IP - that's just how the internet works (I get it).

In our case, however, all legitimate traffic will have an FQDN in the host header, e.g.:

valid request

GET https://validdomain.com/foo

invalid request

GET https://10.23.122.110/foo

I've pulled up the ALB listener rules, and it seems that while it is able to examine the Host header, it is not possible to use regular expressions in the condition - which makes it useless in this scenario. Had it accepted regex, I'd have been able to block IPV4/6 patterns and respond with a fixed 400.

Has anyone solved ensuring that requests have a domain in the host request?

Thanks! Alex

  • Rodney Lester
    hace 2 años

    You can use the HOST header in your application to return a HTTP 400 Bad Request when the host doesn't match what you wish.

Temas
Seguridad, identidad y cumplimientoCálculo
Etiquetas
AWS WAFAmazon EC2Balanceador de carga de aplicaciones
Idioma
English
Launchfire
preguntada hace 2 años921 visualizaciones
1 Respuesta
0

Hello,

At the moment ALB Host conditions[1] doesn't support regex expressions.

However, I would like to suggest you one workaround to achieve your use case as follows:

Setup listener rule with "Host" header condition in which you can provide the valid hostnames using which the clients should access the target behind ALB. This will route all the request with valid hostnames to your target group.

Now in order to deflect any client requests with "Host" header value set to an "IP address", you can use default rule action of your listener to give a fixed response e.g. 400 Bad Request to clients. This will allow you send the required response for all the request which does not have valid host header value.

I hope the above workaround will be useful to you. Feel free to reach out to us in case of any further queries.

Thanks! Jay

References:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#http-header-conditions

AWS
INGENIERO DE SOPORTE
JAY_J
respondido hace 2 años
  • ubuntu
    hace 9 meses

    It isn't really useful, is it?

    It would require me to setup 100 different rules, for each host.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante