I have an AWS application load balancer set up to access a target group in an ECS Fargate. I have a custom domain example.com
with an AWS-managed certificate with an alias targeting the load balancer. Thus if I enter https://example.com/
, it hits the load balancer which forwards to my ECS Fargate container. It seems to work fine.
However if I go into the AWS console for the load balancer, I see a DNS name in the form foo-bar-1234567890.region.elb.amazonaws.com
. It turns out that I can bypass the example.com
and access the load balancer directly (ignoring the certificate warning) using https://foo-bar-1234567890.region.elb.amazonaws.com
.
How can I easily prevent someone from directly accessing the load balancer by its AWS DNS name, bypassing the domain name in the hosted zone I've set up with the SSL certificate?
Surely this is a common scenario. I wouldn't be surprised if many setups in the wild did not address this detail, and have their load balancers directly exposed via the AWS DNS name. However I don't feel this configuration is ideal nor desirable. Note that how likely or easily someone could discover the load balancer DNS name is a separate issue and is not what I'm asking.
This is commonly handled on the backend, by returning a redirect if the host name doesn't match whatever host name your server is configured to respond to.
However with Application Load Balancers you can also configure a rule to handle this. The rule would specify that if the Host-header is foo-bar-1234567890.region.elb.amazonaws.com
then 301 redirect to your preferred domain name.