We are running a web server behind an AWS ELB. We do a couple of things at the ELB:
http.http requests and redirection to httpsWhen running pen tests, I observe that the Location header being returned from the ELB gives the internal AWS hostname of our web server, and not the public-facing domain name, if I send an empty Host: header.
Example:
$ curl http://my.site.net/ -v -I --http1.0 --Header 'Host:'
* Trying 100.101.102.103...
* TCP_NODELAY set
* Connected to my.site.net (100.101.102.103) port 80 (#0)
> HEAD / HTTP/1.0
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: awselb/2.0
< Date: Fri, 10 May 2019 23:46:54 GMT
< Content-Type: text/html
< Content-Length: 150
< Connection: close
< Location: https://internal-mysite-1234567890.us-west-2.elb.amazonaws.com:443/
The internal DNS name of the ELB should never be exposed publicly. How can I configure this correctly so it's not exposed?
@JamesDean is correct. After further investigation, I found out that the ELB is of the Application Load Balancer type. The redirect feature was enabled and configured to redirect to a custom hostname.
Updating the hostname to the public URL fixed the problem.