Score:0

Can you prevent routing traffic to an AWS ALB if the host is an IP address and not a domain name?

in flag

I'm running an ALB on AWS with multiple SSL certificates. The domain name is dynamically handled via the application on EC2. Currently, the ALB will route requests to the IP address of the ALB to the application. Even though the application has an appropriate exception for these queries, this causes unnecessary log entries in all of the request logs and WAF.

My first two thoughts were…

  1. Add a listener rule that blocks IP addresses. Unfortunately, the only way I see to do that is to have a Host header filter on *.*.*.*. That won't work as we could be serving a site for site.group.example.com.
  2. Only forward request to the target group if the Host header matches one of the SSL Certificates attached to the Listener. The problem here is that I can't find any way to execute this kind of rule.
Appleoddity avatar
ng flag
What you are describing is NOT how an ALB usually works. You have configured the default rule to forward to the application rather then discard with an http 404. Or, you’ve created a rule that is including these requests. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#listener-rules
Tim avatar
gp flag
Tim
Are you saying you address the ALB by IP address? The IP address of an ALB changes at random times, such as during maintenance or when it scales in / out. Sending everything from the ALB to the application isn't something I've heard of anyone doing, this should be using domain name / SLI.
Bryan Phillips avatar
in flag
Thanks. This all makes sense and what I had assumed. I can, and currently do, block those request on the application level. It seems like our only alternative to block it before it gets to the application is to build domain specific rules on the listener for each domain that the application will respond to and then leave a default rule to block everything else. As I have multiple ALBs serving the max number of SSL certs each I was checking for a more automated option. I appreciate the time you took to comment.
Score:0
in flag

Updating this as answered based on the comments. Essentially, it's an "unask the question" situation since the solution is to list all domain names as filters and have a final default rule that discards the request.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.