- Newest
- Most votes
- Most comments
Hello,
Thank you for contacting AWS re:Post !
The setup that you deployed is expected behavior. In normal, condition, client first initiate TLS connection, sending Hostname in SNI field in Client Hello Packet. Only after a successful TLS handshake, Application data will be exchanged, with the client sending a Host Header, same as Hostname in SNI. However, we can manipulate Host header via command :- curl https://shared-alb.com -H "Host: example-a.com". This is called Domain Fronting, which involves establishing a TLS connection with a SNI field different from the HTTP Host Header. For example, the TLS connection might connect to www.example.com, and then send an HTTP request to www.example.org. The Domain Fronting is allowed by ALB, as ALB can support multiple Domains/multiple Host headers. Hence, it is recommended to create Host header condition in ALB listener rules, only for domains for which ALB has SSL/TLS Certificate associated, to only allow genuine traffic.
However, CloudFront does not support Domain Fronting. CloudFront includes protection against domain fronting occurring across different AWS accounts.
Refer to the "Domain fronting" section in AWS documentation :- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-restrictions
I hope that you find this information helpful. If you have any further queries or concerns, please do not hesitate to reach out to us.
Thanks! Anil
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
Thank you for the answer! That is very helpful