阻止对AWS Elastic Beanstalk和Elastic Load Balancer的HEAD请求 [英] Block HEAD requests to AWS Elastic Beanstalk and Elastic Load Balancer
问题描述
我在Elastic Load Balancer后面有一个AWS Elastic Beanstalk(Node.js)设置,并为负载均衡器设置警报。
每晚我收到大量警报:
I have an AWS Elastic Beanstalk (Node.js) setup behind an Elastic Load Balancer and alerts setup for the load balancer. Each night I get tons of alerts for:
环境健康状况已从Ok变为严重。 100.0%的请求在HTTP 4xx中出错。
这是由于使用了不同的PHP hackz和phpmyadmin,dbadmin等的拖网99%的病例中使用HEAD方法。
由于我们有一个外部AIM服务,他们会触发这些警报并为每个警报创建一个问题(我们现在改变了)但是你知道哭狼...
This is due to trawls of different PHP hackz and phpmyadmin, dbadmin, etc. using the HEAD method in 99% of the cases. Since we have an external AIM service they trigger on these alerts as well creating an issue for each (which we now change of course) but crying "wolf" you know...
问题是,是否可以阻止HEAD或某些URI,我们知道我们不需要以某种方式摆脱假HTTP 4xx?
Question is, is it possible to block HEAD or certain URI's we know we don't need somehow to get rid of the "false" HTTP 4xx?
推荐答案
正如Mark B在上面的评论中指出的,使用Web应用程序防火墙(WAF& Shield)解决了我们的问题。
As Mark B pointed out in the comments above using a Web Application Firewall (WAF & Shield) solves our issue.
我们有一个普通的EC2 ELB(弹性负载均衡器)并将其换成新的应用程序负载均衡器(ALB),这是WAF的要求。
We had a normal EC2 ELB (Elastic Load Balancer) and swapped that out for the new Application Load Balancer (ALB) that is a requirement for the WAF.
设置WAF非常简单,首先创建一个用于阻止HTTP HEAD的Web ACL(您可以添加大量其他保护,SQL注入等),然后添加一个规则来阻止任何匹配的wACL但允许任何其他流量。
Setting up WAF is fairly easy, first create a Web ACL for blocking HTTP HEAD (you can add a ton of other protection as well, SQL Injection, etc.) and then add a Rule to Block any matching wACL but Allow any other traffic.
最后将新的wACL与负载均衡器关联起来就完成了!
Lastly associate the new wACL with the load balancer and you're done!
测试HTTP HEAD现在提供403 Forbidden并且没有输入我们的Elastic Beanstalk。
Testing HTTP HEAD now gives a "403 Forbidden" and is not entering our Elastic Beanstalk.
这篇关于阻止对AWS Elastic Beanstalk和Elastic Load Balancer的HEAD请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
