1

I have a site that people access by using a specific urls they're assigned like user1.my-site.com and user2.my-site.com. The users share the same base server and i'd like to limit unwanted traffic. My goal is that if any url doesn't match *.my-site.com/ it should not hit my server.

I've looked at forwarding specific traffic with a load balancer but that still looks like it will hit my servers.

I've looked at WAF string matching and I might have missed something but I didn't see how to filter traffic that doesn't match a *.my-site.com/ pattern

I'd expect there's a way to filter traffic that passes through an Application Load Balancer in AWS so I can only allow traffic from hosts that have a start url of *.my-site.com/. But i'm seeing is there is only string matching after the first / of the url.

MillerC
  • 663
  • 1
  • 11
  • 26

1 Answers1

1

To deny all requests except for *.example.com, using WAF:

Create a String Match condition against a Header -- the Host header -- with a match type Ends with and a value of .example.com -- no * at the beginning. Configure WAF to block requests not matching the condition ("host header ends with the bytes .example.com").

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-string-conditions.html

To deny all requests except for *.example com in an Application Load Balancer without using WAF is even easier... you just have to ask the balancer to block everything, with an exception before that to handle *.example.com.

First, create a new listener rule matching Host header *.example.com (this one does need a * at the beginning, unlike WAF), and for the action, choose your normal, existing target group. This tells the balancer to use that target group for *.example.com -- which it is already doing, but this step is not redundant... it's required because of the next step:

Change the default listener rule action for the listener to Return fixed response. Set the status code to 403, the content type to text/plain, and the message body to something generic like ohai, blocked u. (or maybe try Access Denied, or use a other code if you prefer, like 503 with a "Service Unavailable" message... it doesn't matter technically).

You can use fixed-response actions to drop client requests and return a custom HTTP response. You can use this action to return a 2XX, 4XX, or 5XX response code and an optional message.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#fixed-response-actions

Any requests not matching your domain will fall through to the default listener rule, and be greeted with your static error response.

Neither of these configurations will send any traffic to your servers for requests for the invalid domains.

In either configuration, the ALB logs will still include the blocked requests. WAF doesn't prevent traffic from reaching the ALB, it just prevents the ALB from processing it after a block rule is encountered.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427