Questions tagged with Elastic Load Balancing

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

ALB SNI / Host Header mismatch officially supported?

I have a particular setup that is currently working, but I am trying to find docs or something to make sure it is definitely supported and not just something that might get fixed later on. I have a shared internet-facing ALB that I am using for several unrelated applications. Right now, it has 1 default ACM Cert attached, for example for a domain `shared-alb.com`. The default action is to return a fixed 503 response. DNS for `shared-alb.com` publicly resolves to the ALB. I then add a single additional routing rule: if Host header matches `example-a.com` then forward to some target group. I do _not_ have an ACM Cert covering this domain attached to the ALB. DNS for `example-a.com` does _not_ resolve to the ALB. This I know is non-standard, but I am able to successfully make requests to my target group by forcing the hostname in the SNI ClientHello to be `shared-alb.com` and not match the Host header in the actual HTTP request `example-a.com`. For example, this would succeed: (note: I don't even need to pass `-k` to ignore SSL errors, because the TLS connection is valid for the `shared-alb.com` hostname) curl -H "Host: example-a.com" https://shared-alb.com AFAIK most other servers will reject a request if the SNI host does not match the HTTP Host header, or at least require some manual settings override to allow it. But it seems AWS ALB will allow this out of the box? I can't find in the [docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#sni-certificate-list) anything specifically mentioning this. It does talk about "smart certificate selection" for SNI, but it does not go on to say anything about the routing rule evaluation for host headers caring or not caring about matching. The different applications this ALB will be sitting behind are all on Cloudfront. For this example, one CF distribution would be set up with `example-a.com` as its CNAME with a valid ACM Cert (attached to CF but not ALB), and with `shared-alb.com` as its custom origin domain name, and configured to forward the Host header. And DNS for `example-a.com` resolves to the CF distribution. It does look like Cloudfront specifically does allow this sort of non-standard request to the origin: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure so my guess is that it all is intentionally supported. I just can't find docs on the ALB side to validate.
1
answers
0
votes
61
views
asked 2 months ago

HTTP API, ALB integration 5XX errors

Hi, I have below setup as I followed following tutorial : https://aws.amazon.com/blogs/compute/configuring-private-integrations-with-amazon-api-gateway-http-apis/ customdomain (my.domain.com) -> HTTPAPI -> VPC Link -> ALB -> ECS VPCLink: - VPC for ALB is used - Subnets for ALB are added - Security groups for ALB is added Integration: - ALB is selected - 443 HTTPS Listener is selected - VPC Link is selected Paramater Mapping for Integration: - path -> overwrite -> $request.path Routing: "ANY /{proxy}" route is added and integration is attached. Deployment: - "prod" stage is created, auto-deploy is enabled Route53: Domain (my.domain.com) is added as an A record pointing to custom domain When I make request using my.domain.com (same if I use auto generated stage url) I always get 503 errors. I checked and ECS instance is running properly and healthy. Sample access log : { "requestId": "Z6KDRhh0DoEEJhg=", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36", "sourceIp": "my_ip", "requestTime": "12/Oct/2022:20:29:34 +0000", "requestTimeEpoch": "1665606574", "httpMethod": "GET", "path": "/", "status": "503", "protocol": "HTTP/1.1", "responseLength": "33", "domainName": "my.domain.com", "integrationError": "-", "integrationDotError": "-", "integrationStatus": "200", "integrationDotStatus": "-", "integrationDotIntegrationStatus": "200", "integrationLatency": "9001" } What am I missing? Please help.
2
answers
0
votes
36
views
asked 2 months ago

Route 53 A record with Load Balancer DNS not propagating

I´ve configured a Load Balancer but when adding A record on Hosted Zone, the DNS is not propagating. Let me explain my current configuration (Let´s say the domain is 'something.com' and security groups are allowing traffic, also rules on LightSail): 1. LightSail instance and VPC peered (AWS default VPC and LightSail VPC are in the same avaliability zones and currently peered). From now, this will be 'previous VPC' on followint points. 2. A target group pointing to private IP addres of LightSail instance (Type: IP Addresses, Network 'Other private IP address', previous VPC, HTTPS protocol and Healty state). 3. Load Balancer with certificate imported, Internet-Facing, IPv4, previous VPC, 2 subnets selected (including the one where the Light Sail instance belongs to). 4. Hosted Zone for 'something.com' with a DNS A record for 'dummy.something.com' record pointing to Load Balancer DNS. With Alias that redirect traffic to 'Classic Load Balancer and applications', same region and previously created Load Balancer. I´ve done this before to protect an OWASP JuiceShop and it worked perfectly. The difference with the current one are: 1. DNS zone on LightSail with A record for 'dummy.something.com' pointing to the instance public IP (I´m deleting that record when creating the one Route 53, the one on previous point 4), between others records type for 'something.com' (for example A record apidummy.something.com) 2. The hosted zone is NOT 'created by Route53 Registar'. After all of this and after create the DNS A record of point 4, the DNS does not propagate and application hosted on 'dummy.something.com' is not accessible (DNS error returned). What I´m doing wrong or missing? should I create a CNAME record on LightSail for 'dummy.something.com' resolving to Load Balancer DNS? should I register 'dummy.something.com' with route53? other completely different thing? Any help would be really appreciated.
1
answers
0
votes
53
views
Pepelu
asked 2 months ago