Questions tagged with Elastic Load Balancing

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

HTTPAPI ALB integration over VPCLink to TargetGroup return 500 error

Hi, Here is my configuration mydomain.com -> API GW Custom Domain -> HTTPAPI -> Route (/api/{+proxy}) -> VPCLink -> ALB -> HTTPS Listener -> TargetGroup (Type: Instance) -> ECS Fargate Service HTTPAPI integration has the following parameter mapping: path -> overwrite -> /$request.path.proxy (I want to get rid of "api" part in the url) when I make below request I got 500 errors https://mydomain.com/api/otherPath I have enabled access logs on HTTPAPI but they show very limited information. ALB logs are sent to S3 bucket so it is almost impossible to track request. As far I see requests are not hitting the Fargate Service but I am not sure. Sample access log from API GW HTTP API: ``` { "requestId": "some_req_id=", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "sourceIp": "176.232.**.**", "requestTime": "01/Nov/2022:09:25:37 +0000", "requestTimeEpoch": "1667294737", "httpMethod": "GET", "path": "/otherPath", "status": "500", "protocol": "HTTP/1.1", "responseLength": "35", "domainName": "mydomain.com", "error_Message": "Internal Server Error", "integrationErrorMessage": "-", "integration_Error": "-", "integrationStatus": "200", "integration_Status": "-", "integration_IntegrationStatus": "200", "integrationLatency": "5" } ``` What am I missing? Why is it sooooo hard to find what is causing the error? I think configuration is fine but somehow it is really hard to make it work. Unbelievable!
1
answers
0
votes
17
views
asked a month ago

ALB SNI / Host Header mismatch officially supported?

I have a particular setup that is currently working, but I am trying to find docs or something to make sure it is definitely supported and not just something that might get fixed later on. I have a shared internet-facing ALB that I am using for several unrelated applications. Right now, it has 1 default ACM Cert attached, for example for a domain `shared-alb.com`. The default action is to return a fixed 503 response. DNS for `shared-alb.com` publicly resolves to the ALB. I then add a single additional routing rule: if Host header matches `example-a.com` then forward to some target group. I do _not_ have an ACM Cert covering this domain attached to the ALB. DNS for `example-a.com` does _not_ resolve to the ALB. This I know is non-standard, but I am able to successfully make requests to my target group by forcing the hostname in the SNI ClientHello to be `shared-alb.com` and not match the Host header in the actual HTTP request `example-a.com`. For example, this would succeed: (note: I don't even need to pass `-k` to ignore SSL errors, because the TLS connection is valid for the `shared-alb.com` hostname) curl -H "Host: example-a.com" https://shared-alb.com AFAIK most other servers will reject a request if the SNI host does not match the HTTP Host header, or at least require some manual settings override to allow it. But it seems AWS ALB will allow this out of the box? I can't find in the [docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#sni-certificate-list) anything specifically mentioning this. It does talk about "smart certificate selection" for SNI, but it does not go on to say anything about the routing rule evaluation for host headers caring or not caring about matching. The different applications this ALB will be sitting behind are all on Cloudfront. For this example, one CF distribution would be set up with `example-a.com` as its CNAME with a valid ACM Cert (attached to CF but not ALB), and with `shared-alb.com` as its custom origin domain name, and configured to forward the Host header. And DNS for `example-a.com` resolves to the CF distribution. It does look like Cloudfront specifically does allow this sort of non-standard request to the origin: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure so my guess is that it all is intentionally supported. I just can't find docs on the ALB side to validate.
1
answers
0
votes
59
views
asked a month ago