logo
Published on

Forward Original Host from the Original Request

Authors
  • avatar
    Name
    Bowen Y
    Twitter

Forward Original Host from the Original Request

Today I met this issue, I tried to realize a request workflow like this:

User Request -> Route53 DNS(CloudFront Distribution of the API Gateway Custom Domain) -> API Gateway -> via HTTP request -> Public Application Load Balancer -> ECS instance

curl -H "Host: notification.dev.scrawlrapi.com" https://notification.dev.scrawlrapi.com/status

When I tried to send request like this, the ECS instance indeed received the request but with a modified host header.

{ "time": "2024-03-25T23:05:22+00:00", "remote_addr": "10.0.0.187", "remote_user": "", "ssl_protocol_cipher": "/", "body_bytes_sent": "55", "request_time": "0.000", "status": "404", "request": "GET / HTTP/1.1", "request_method": "GET", "http_referrer": "", "http_x_forwarded_for": "44.234.29.173", "http_cf_ray": "", "host": "dualstack.bowen-test-public-alb-1535001582.us-west-2.elb.amazonaws.com", "server_name": "", "upstream_address": "", "upstream_status": "", "upstream_response_time": "", "upstream_response_length": "", "upstream_cache_status": "", "http_user_agent": "curl/8.1.2" }

So the host is the HTTP address that I set in the API Gateway Integration

Can I create a public NLB in front of the private ALB?

Yes you can, but now AWS only supports directing encrypted data to ALB from NLB. You cannot create a target group with Application Load Balancer using TLS protocol(Only TCP is supported). Which means you can not decrpyt the incoming requests over HTTPS in NLB and send the unencrypted data to the ALB.

However, you can just simply listen on the port 443 using TCP protocol and then direct the encrypted data to the ALB. And then terminate the TLS connection in the HTTPS listeners in the ALB.

ERRORS

  1. Invalid mapping expression specified: Validation Result: warnings : [], errors : [Operations on header x-forwarded-for are restricted]

  2. API Gateway Headers

{
  "cookie": [
    "_ga=GA1.1.643138662.1711125483; _ga_QT3LLYY7TG=GS1.1.1724445288.9.0.1724445288.0.0.0"
  ],
  "via": [
    "HTTP/1.1 AmazonAPIGateway"
  ],
  "forwarded": [
    "for=207.81.250.185;host=geosociatal.uat.scrawlr.com;proto=https"
  ],
  "priority": [
    "u=0, i"
  ],
  "accept-language": [
    "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7"
  ],
  "accept-encoding": [
    "gzip, deflate, br, zstd"
  ],
  "sec-fetch-dest": [
    "document"
  ],
  "sec-fetch-user": [
    "?1"
  ],
  "sec-fetch-mode": [
    "navigate"
  ],
  "sec-fetch-site": [
    "none"
  ],
  "accept": [
    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
  ],
  "upgrade-insecure-requests": [
    "1"
  ],
  "sec-ch-ua-platform": [
    "\"macOS\""
  ],
  "sec-ch-ua-mobile": [
    "?0"
  ],
  "sec-ch-ua": [
    "\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\""
  ],
  "cache-control": [
    "max-age=0"
  ],
  "user-agent": [
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
  ],
  "content-length": [
    "0"
  ],
  "x-amzn-trace-id": [
    "Self=1-66d8d99b-3a444ca8714c1d0130b2cdec;Root=1-66d8d99b-79b4667132cf44bc552d3de3"
  ],
  "host": [
    "geosociatal.uat.scrawlr.com"
  ],
  "x-forwarded-port": [
    "443"
  ],
  "x-forwarded-proto": [
    "https"
  ],
  "x-forwarded-for": [
    "10.0.1.70"
  ]
}

Is there any way to align the header of HTTP API gateway and Application Load Balancer to use forwarded or x-forwarded-for?