Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enabling Cipher suite header in ALB using CloudShell, what syntax

0

How do I enable "routing.http.request.x_amzn_tls_cipher_suite.header_name" using CloudShell . Neither the "documentation", nor the AI answer provides a complete example of the CLI syntax, I have already tried the command aws elbv2 modify-listener-attributes --listener-arn arn:aws:elasticloadbalancing:eu-central-1:CENSORED --attributes Key=routing.http.request.x_amzn_tls_cipher_suite.header_name,Value=X-Amzn-TLS-Cipher-Suite

That command seems to fail because header names starting with X-Amzn- are reserved for AWS defaults, but there is no clear documentation on how to enable the header with its default name .

And even with a non-Amazon value for the header name, the header is not enabled and is still not sent to the backend servers.

Topics
Developer ToolsNetworking & Content Delivery
Tags
AWS CloudShellElastic Load Balancing
Language
English
asked a year ago234 views
1 Answer
1

Hello.

If you enable "TLS version and cipher headers" in the ALB attribute settings, "X-Amzn-TLS-Cipher-Suite" will be set in the header.
a

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes

routing.http.x_amzn_tls_version_and_cipher_suite.enabled
Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false. The default is false.

If you are using AWS CLI, you can enable it with the following command:
https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html

aws elbv2 modify-load-balancer-attributes --load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:123456789012:loadbalancer/app/example/123456789012345 --attributes Key=routing.http.x_amzn_tls_version_and_cipher_suite.enabled,Value=true

I configured an EC2 instance as the target of an ALB with an HTTPS listener and captured tcpdump on it.
You can confirm that "X-Amzn-TLS-Cipher-Suite" is included in the header as shown below.

# tcpdump port 80 -nn -A
@.......GET / HTTP/1.1
x-amzn-tls-cipher-suite: TLS_AES_128_GCM_SHA256
x-amzn-tls-version: TLSv1.3
X-Forwarded-For: ....
X-Forwarded-Proto: https
X-Forwarded-Port: 443
Host: example.com
X-Amzn-Trace-Id: Root=1-686669f4-4873a04c1e993f9834d7e2b8
cache-control: max-age=0
sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"

The "modify-listener-attributes" command is used to change the name of a header.
Therefore, the command execution will fail unless you set a value other than "X-Amzn-TLS-Cipher-Suite" as shown below.
https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html

aws elbv2 modify-listener-attributes --listener-arn arn:aws:elasticloadbalancing:eu-central-1:CENSORED --attributes Key=routing.http.request.x_amzn_tls_cipher_suite.header_name,Value=test
EXPERT
answered a year ago
  • AWS-User-4644975
    a year ago

    In my experience, the header is NOT sent by default, and using the attribute to set it to a non-reserved name still doesn't enable it. If inclusion of that header depends on some other setting, I don't know about it and it isn't clearly stated in the documentation I have read.

  • Riku_Kobayashi EXPERT
    a year ago

    Sorry, the ALB I was using was not the default setting. I had enabled "TLS version and cipher headers" in the ALB attribute settings. a

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content