0

I'm running an ALB on AWS with multiple SSL certificates. The domain name is dynamically handled via the application on EC2. Currently, the ALB will route requests to the IP address of the ALB to the application. Even though the application has an appropriate exception for these queries, this causes unnecessary log entries in all of the request logs and WAF.

My first two thoughts were…

  1. Add a listener rule that blocks IP addresses. Unfortunately, the only way I see to do that is to have a Host header filter on *.*.*.*. That won't work as we could be serving a site for site.group.example.com.
  2. Only forward request to the target group if the Host header matches one of the SSL Certificates attached to the Listener. The problem here is that I can't find any way to execute this kind of rule.
Bryan Phillips
  • 21
  • 2
  • 1
    What you are describing is NOT how an ALB usually works. You have configured the default rule to forward to the application rather then discard with an http 404. Or, you’ve created a rule that is including these requests. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#listener-rules – Appleoddity Apr 06 '22 at 04:25
  • Are you saying you address the ALB by IP address? The IP address of an ALB changes at random times, such as during maintenance or when it scales in / out. Sending everything from the ALB to the application isn't something I've heard of anyone doing, this should be using domain name / SLI. – Tim Apr 06 '22 at 09:14
  • Thanks. This all makes sense and what I had assumed. I can, and currently do, block those request on the application level. It seems like our only alternative to block it before it gets to the application is to build domain specific rules on the listener for each domain that the application will respond to and then leave a default rule to block everything else. As I have multiple ALBs serving the max number of SSL certs each I was checking for a more automated option. I appreciate the time you took to comment. – Bryan Phillips Apr 06 '22 at 13:03

1 Answers1

0

Updating this as answered based on the comments. Essentially, it's an "unask the question" situation since the solution is to list all domain names as filters and have a final default rule that discards the request.

Bryan Phillips
  • 21
  • 2