AWS ELB redirect to https exposes internal hostname

1
votes

We are running a web server behind an AWS ELB. We do a couple of things at the ELB:

  • SSL termination. Requests going from ELB to web server are http.
  • Interception of http requests and redirection to https

When running pen tests, I observe that the Location header being returned from the ELB gives the internal AWS hostname of our web server, and not the public-facing domain name, if I send an empty Host: header.

Example:

$ curl http://my.site.net/ -v -I --http1.0 --Header 'Host:'
*   Trying 100.101.102.103...
* TCP_NODELAY set
* Connected to my.site.net (100.101.102.103) port 80 (#0)
> HEAD / HTTP/1.0
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: awselb/2.0
< Date: Fri, 10 May 2019 23:46:54 GMT
< Content-Type: text/html
< Content-Length: 150
< Connection: close
< Location: https://internal-mysite-1234567890.us-west-2.elb.amazonaws.com:443/

The internal DNS name of the ELB should never be exposed publicly. How can I configure this correctly so it's not exposed?

1
amazon-web-servicesamazon-elb
Host doesn't matter for http1.0 because it doesn't know HOST header and curl won't send host for http1.0 but I'm not sure what is your rules configuration, my.site.net --> is this public ELB or private, are you passing custom host in your rule action ? BTW, Internal DNS resolves to private IP and it doesn't expose anything. - James Dean
I would look at the http->https redirect logic. It appears that the elb itself is doing the redirect. Do you know why that is? I would expect that redirect to originate from the web server. - Rodrigo M
ALB redirects only if rule is configured with action redirect. - James Dean

1 Answers

0
votes

@JamesDean is correct. After further investigation, I found out that the ELB is of the Application Load Balancer type. The redirect feature was enabled and configured to redirect to a custom hostname.

Updating the hostname to the public URL fixed the problem.