- Newest
- Most votes
- Most comments
Yes, it is possible to provide a custom JSON response when there's an issue with the client's certificate or if it's missing when using mutual TLS (mTLS) with AWS Application Load Balancer (ALB).
AWS WAF V2 allows you to configure custom response bodies, which can be used in conjunction with ALB. You can set up a custom response in JSON format by following these steps:
- In AWS WAF V2, create a custom response body.
- Set the "Content" field to your desired JSON payload.
- Set the "ContentType" to "APPLICATION_JSON".
The content of your JSON response can be customized to provide specific information about the certificate issue. The length of the content must be between 1 and 10240 characters.
When configuring this custom response, you would typically set up a rule in AWS WAF that triggers when there's a certificate issue or when it's missing. This rule would then return the custom JSON response you've defined.
It's important to note that while this method allows you to return a custom JSON response, the actual handling of mTLS and certificate verification is still managed by the ALB. The custom response is a way to provide more informative feedback to clients when certificate issues occur.
Remember to consider security implications when crafting your custom responses, ensuring you don't reveal sensitive information about your infrastructure or security setup.
Sources
CustomResponseBody - AWS WAFV2
When the ALB performs mTLS authentication in the "verify" mode, it simply drops the TLS session if a client certificate isn't provided or it isn't accepted. It's explained step by step in the release blog post under the "mTLS verify mode" subheading: https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-mtls-for-application-load-balancer/
The bot's earlier suggestion about using WAF doesn't work in the "verify" mode. WAF inspects requests and can return custom responses, but when the ALB's mTLS setup causes the entire TLS session to be rejected, no request is ever received over the TLS session or sent to WAF for inspection.
If you set the ALB to use "passthrough" mode, the HTTP headers ALB adds will be available for processing on your Nginx server, and I believe they should also be available for WAF to inspect in that situation. Note that if no client certificate is received, the ALB won't add any mTLS headers to the request, which is the indication your Nginx configuration or WAF rule should look for to detect that the certificate is missing.
Relevant content
- asked 5 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
Can this be done without WAF? Can I use the pass through option and authenticate on the nginx side with the passed header?