Reputation: 5622
AWS ELB redirect to https exposes internal hostname
We are running a web server behind an AWS ELB. We do a couple of things at the ELB:
- SSL termination. Requests going from ELB to web server are
http. - Interception of
httprequests and redirection tohttps
When running pen tests, I observe that the Location header being returned from the ELB gives the internal AWS hostname of our web server, and not the public-facing domain name, if I send an empty Host: header.
Example:
$ curl http://my.site.net/ -v -I --http1.0 --Header 'Host:'
* Trying 100.101.102.103...
* TCP_NODELAY set
* Connected to my.site.net (100.101.102.103) port 80 (#0)
> HEAD / HTTP/1.0
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: awselb/2.0
< Date: Fri, 10 May 2019 23:46:54 GMT
< Content-Type: text/html
< Content-Length: 150
< Connection: close
< Location: https://internal-mysite-1234567890.us-west-2.elb.amazonaws.com:443/
The internal DNS name of the ELB should never be exposed publicly. How can I configure this correctly so it's not exposed?
Upvotes: 3
Views: 13885
Answers (1)
Reputation: 5622
@JamesDean is correct. After further investigation, I found out that the ELB is of the Application Load Balancer type. The redirect feature was enabled and configured to redirect to a custom hostname.
Updating the hostname to the public URL fixed the problem.
Upvotes: 1
Related Questions
- How to redirect HTTPS to HTTP on ELB Application Load Balancer
- Elastic Beanstalk Http Redirect to Https
- AWS Certificates Not Secure In Browser
- Application ELB forward HTTP to HTTPS
- Redirecting AWS ELB HTTP Requests to HTTPS
- Redirecting from Http to Https with AWS's ELB in Chrome and FireFox
- AWS Elastic Beanstalk: Redirect host name via HTTPS
- Force redirect HTTPS with www
- Redirect http to https AWS ELB without hosting ssl certificate on webserver
- SSL on ELB confusion when redirecting to HTTPS