My AWS Elastic Beanstalk instances get requests from an unwanted hostname.
Resolution
In an Elastic Beanstalk environment with an Application Load Balancer, use AWS WAF as a custom resource to protect your instances against attacks. You can choose to block either one hostname or block multiple hostnames.
Block one hostname
1. Create a waf.config configuration file in your .ebextensions directory.
2. Update your waf.config file based on this example.
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: application
aws:elasticbeanstalk:customoption:
BlockedHost1: 'exampletoblock.com'
Resources:
BlockedHostnames:
Type: "AWS::WAFv2::RegexPatternSet"
Properties:
Description: 'List of Hostnames to be block by WebACL'
Name: BlockedHostsSet
RegularExpressionList:
- { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
Scope: REGIONAL
WafAcl:
Type: "AWS::WAFv2::WebACL"
Properties:
Description: "Web ACL to Block requests from unknown hosts on AWSEBV2LoadBalancer"
Name: "BlockHostACL"
Scope: REGIONAL
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BlockHostACLMetric
Rules:
- Name: BlockedHostsRule
Priority: 1
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: UnknownHostRule1
Statement:
RegexPatternSetReferenceStatement:
Arn: '`{ "Fn::GetAtt" : ["BlockedHostnames", "Arn" ]}`'
FieldToMatch:
SingleHeader:
Name: Host
TextTransformations:
- Priority: 0
Type: NONE
WebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'
Note: Replace BlockedHost1 with the hostname that you want to block from your Elastic Beanstalk environment.
3. Create or update your Elastic Beanstalk environment with your waf.config file from the preceding step.
Important: If you run your waf.config file on an existing Elastic Beanstalk environment that doesn't have an Application Load Balancer, then you get an error. You receive the error because you can define the load balancer type only during environment creation. Change your Load Balancer type with a blue/green deployment. For more information, see Configure an Application Load Balancer.
4. To confirm that BlockedHost1 is blocked from sending requests to your Elastic Beanstalk environment, first open a terminal. Then, to simulate a request that originates from exampletoblock.com, run this command:
$ curl -I -H 'host: exampletoblock.com' http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com
Note: Replace exampletoblock.com with the hostname that's configured on waf.config that you want to block. Replace http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com with your Elastic Beanstalk environment URL.
If the hostname is blocked, then you receive output similar to this example:
> HTTP/1.1 403 Forbidden
Server: awselb/2.0
Date: Mon, 20 Apr 2020 17:31:14 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
5. To simulate a normal request, run this command:
$ curl -I http://ENV-NAME.ENV-ID.eu-west-1.elasticbeanstalk.com
If the request is successful, then you see a successful 200 status code. You receive an output similar to this example:
> HTTP/1.1 200 OK
Date: Mon, 20 Apr 2020 17:38:04 GMT
Content-Type: text/html
Content-Length: 3352
Connection: keep-alive
Server: nginx/1.16.1
Block multiple hostnames
To block multiple hostnames, add hostnames to a Web Access Control List (WEB ACL) that uses the RegexPatternSet. In your waf.config file, add additional hostnames as custom options in the RegularExpressionList:
option_settings:
aws:elasticbeanstalk:environment:
LoadBalancerType: application
aws:elasticbeanstalk:customoption:
BlockedHost1: 'exampletoblock.com'
BlockedHost2: 'anothertoblock.com'
Resources:
BlockedHostnames:
Type: "AWS::WAFv2::RegexPatternSet"
Properties:
Description: 'List of Hostnames to be block by WebACL'
Name: BlockedHostsSet
RegularExpressionList:
- { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
- { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost2" }}
Scope: REGIONAL
Related information
Add and customize Elastic Beanstalk environment resources