0

We're using Palo Alto's VM Firewall's with ELB's sandwich topology and are unable to get the correct X-Forwarded-Proto to make it all the way back to the web server. HTTPS termination is happening on the external load balancer, then running as HTTP through the rest of the stack. Using a single load balancer we have no issue retrieving the correct X-Forwarded-Proto header whether it's HTTP or HTTPS. However, in the sandwich topology we get HTTP as the X-Forwarde-Proto no matter what.

Our primary issue for needing the header is to redirect all requests to HTTPS, which might be able to be done on the PAN Firewall, but that has also proven elusive.

Jason B
  • 3
  • 1
  • 4

2 Answers2

1

This is the expected behavior, and most likely by design -- if ALB passed-through X-Forwarded-Proto it could be forged, and they didn't build in any ability to allow exceptions... so it's always overwritten.

You could instead use a Network Load Balancer internally. Since these run at Layer 4, they don't manipulate headers.

Or, if the external-facing balancer is an ALB, you can create a rule, there, to redirect all HTTP requests to HTTPS, within the balancer.

With redirect actions, the load balancer can redirect incoming requests from one URL to another URL. This includes the capability to redirect HTTP requests to HTTPS requests, which allows you to meet your compliance goal of secure browsing, achieve better search ranking and high SSL/TLS score for your site.

https://aws.amazon.com/about-aws/whats-new/2018/07/elastic-load-balancing-announces-support-for-redirects-and-fixed-responses-for-application-load-balancer/

One minor "gotcha" about ALB redirects is that you have to explicitly specify the destination port as 443, otherwise the balancer will retain the original port and write a redirect to https://example.com:80/ which of course will not work.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    Excellent points on all counts. Your feedback forced me to poke around more in the external ALB that the Palo Alto cloud formation template had created. I've modified the :80 listener to handle the redirects and it looks good to go. I have no idea how I missed that option before. Thank you very much! – Jason B Feb 07 '19 at 00:52
0

This might not be the answer your looking for but this architecture will work if you use a TCP based network load balancer at the transport layer instead of a HTTP/S listener at the application layer.

Transport load balancers won't consider the protocols at all when proxying the request to the target, and the entire HTTPS will be kept in tact. Where as the application load balancer will interpret it's policies and overwrite X-Forwarded-Proto by design.

Phillip Fleischer
  • 1,023
  • 12
  • 14