How do I configure the Application Load Balancer to drop headers that aren’t valid?

2 minute read
0

I want to drop headers that aren’t valid from my Application Load Balancer.

Short description

The Application Load Balancer uses the routing.http.drop_invalid_header_fields.enabled attribute to drop HTTP headers that aren't valid. The attribute has FALSE as its default value.

If the attribute's default value is set to TRUE, then the Application Load Balancer drops the HTTP headers that aren't valid. If the attribute's value is FALSE, then the load balancer routes the headers to the targets with the original request.
Note: Elastic Load Balancing requires that all registered message header names conform to the regular expression [-A-Za-z0-9]+. Each header name consists of alphanumeric characters or hyphens.

Verify that the attribute drop_invalid_header_field works

Take a packet capture on the server side. When the attribute is deactivated, the Application Load Balancer forwards the HTTP headers that aren't valid to the backend servers. When the attribute is activated, the load balancer forwards only the valid headers to the backend servers. The headers that aren't valid are dropped.

Use Wireshark to see HTTP headers on the server side (deactivated attribute)

Pass a header +agent: world in a CURL request from a client machine. Note that this header uses a value that's not valid:

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
    X-Forwarded-For: x.x.x.x\r\n
    X-Forwarded-Proto: http\r\n
    X-Forwarded-Port: 80\r\n
    Host: xxxxxxxx.elb.amazonaws.com\r\n
    X-Amzn-Trace-Id: Root=xxxxxxxxxx\r\n
    User-Agent: curl/8.4.0\r\n
    Accept: */*\r\n
    +agent: world\r\n

This output is from the server side Wireshark capture. The Application Load Balancer forwards the header that's not valid to the backend server.

Use Wireshark to see HTTP headers on the server side (activated attribute)

Pass a header +agent: world in a CURL request from a client machine. Note that this header uses a value that's not valid:

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
    X-Forwarded-For: x.x.x.x\r\n
    X-Forwarded-Proto: http\r\n
    X-Forwarded-Port: 80\r\n
    Host: xxxxxxxx.elb.amazonaws.com\r\n
    X-Amzn-Trace-Id: Root=xxxxxxxxxx\r\n
    User-Agent: curl/8.4.0\r\n
    Accept: */*\r\n

When the attribute is activated, the Application Load Balancer sends the request to the backend servers. However, as this server side output shows, the load balancer drops the headers that aren't valid.

Related information

Load balancer attributes

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago