I want to drop headers that aren’t valid from my Application Load Balancer.
Short description
The Application Load Balancer uses the routing.http.drop_invalid_header_fields.enabled attribute to drop HTTP headers that aren't valid. The attribute has FALSE as its default value.
If the attribute's default value is set to TRUE, then the Application Load Balancer drops the HTTP headers that aren't valid. If the attribute's value is FALSE, then the load balancer routes the headers to the targets with the original request.
Note: Elastic Load Balancing requires that all registered message header names conform to the regular expression [-A-Za-z0-9]+. Each header name consists of alphanumeric characters or hyphens.
Verify that the attribute drop_invalid_header_field works
Take a packet capture on the server side. When the attribute is deactivated, the Application Load Balancer forwards the HTTP headers that aren't valid to the backend servers. When the attribute is activated, the load balancer forwards only the valid headers to the backend servers. The headers that aren't valid are dropped.
Use Wireshark to see HTTP headers on the server side (deactivated attribute)
Pass a header +agent: world in a CURL request from a client machine. Note that this header uses a value that's not valid:
Hypertext Transfer Protocol
GET / HTTP/1.1\r\n
X-Forwarded-For: x.x.x.x\r\n
X-Forwarded-Proto: http\r\n
X-Forwarded-Port: 80\r\n
Host: xxxxxxxx.elb.amazonaws.com\r\n
X-Amzn-Trace-Id: Root=xxxxxxxxxx\r\n
User-Agent: curl/8.4.0\r\n
Accept: */*\r\n
+agent: world\r\n
This output is from the server side Wireshark capture. The Application Load Balancer forwards the header that's not valid to the backend server.
Use Wireshark to see HTTP headers on the server side (activated attribute)
Pass a header +agent: world in a CURL request from a client machine. Note that this header uses a value that's not valid:
Hypertext Transfer Protocol
GET / HTTP/1.1\r\n
X-Forwarded-For: x.x.x.x\r\n
X-Forwarded-Proto: http\r\n
X-Forwarded-Port: 80\r\n
Host: xxxxxxxx.elb.amazonaws.com\r\n
X-Amzn-Trace-Id: Root=xxxxxxxxxx\r\n
User-Agent: curl/8.4.0\r\n
Accept: */*\r\n
When the attribute is activated, the Application Load Balancer sends the request to the backend servers. However, as this server side output shows, the load balancer drops the headers that aren't valid.
Related information
Load balancer attributes