Possible to prevent Application Load Balancers from routing direct-IP access to target groups?

Question

When we all launch ALBs, they can be resolved by IP - that's just how the internet works (I get it).

In our case, however, all legitimate traffic will have an FQDN in the host header, e.g.:

valid request
```
GET https://validdomain.com/foo
```

invalid request
```
GET https://10.23.122.110/foo
```

I've pulled up the ALB listener rules, and it seems that while it is able to examine the Host header, it is not possible to use regular expressions in the condition - which makes it useless in this scenario.  Had it accepted regex, I'd have been able to block IPV4/6 patterns and respond with a fixed 400.

Has anyone solved ensuring that requests have a domain in the host request?

Thanks!
Alex

Answer

Hello,

At the moment ALB Host conditions[1] doesn't support regex expressions.

However, I would like to suggest you one workaround to achieve your use case as follows:

> Setup listener rule with "Host" header condition in which you can provide the valid hostnames using which the clients should access the target behind ALB. This will route all the request with valid hostnames to your target group.

> Now in order to deflect any client requests with "Host" header value set to an "IP address", you can use default rule action of your listener to give a fixed response e.g. 400 Bad Request to clients. This will allow you send the required response for all the request which does not have valid host header value.

I hope the above workaround will be useful to you. Feel free to reach out to us in case of any further queries.

Thanks! Jay

References:
---------------
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#http-header-conditions

Possible to prevent Application Load Balancers from routing direct-IP access to target groups?

References:

相關內容