Possible to prevent Application Load Balancers from routing direct-IP access to target groups?

0

When we all launch ALBs, they can be resolved by IP - that's just how the internet works (I get it).

In our case, however, all legitimate traffic will have an FQDN in the host header, e.g.:

valid request

GET https://validdomain.com/foo

invalid request

GET https://10.23.122.110/foo

I've pulled up the ALB listener rules, and it seems that while it is able to examine the Host header, it is not possible to use regular expressions in the condition - which makes it useless in this scenario. Had it accepted regex, I'd have been able to block IPV4/6 patterns and respond with a fixed 400.

Has anyone solved ensuring that requests have a domain in the host request?

Thanks! Alex

  • You can use the HOST header in your application to return a HTTP 400 Bad Request when the host doesn't match what you wish.

feita há 2 anos921 visualizações
1 Resposta
0

Hello,

At the moment ALB Host conditions[1] doesn't support regex expressions.

However, I would like to suggest you one workaround to achieve your use case as follows:

Setup listener rule with "Host" header condition in which you can provide the valid hostnames using which the clients should access the target behind ALB. This will route all the request with valid hostnames to your target group.

Now in order to deflect any client requests with "Host" header value set to an "IP address", you can use default rule action of your listener to give a fixed response e.g. 400 Bad Request to clients. This will allow you send the required response for all the request which does not have valid host header value.

I hope the above workaround will be useful to you. Feel free to reach out to us in case of any further queries.

Thanks! Jay

References:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#http-header-conditions

AWS
ENGENHEIRO DE SUPORTE
JAY_J
respondido há 2 anos
  • It isn't really useful, is it?

    It would require me to setup 100 different rules, for each host.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas