Site 24x7 shows website down when we enable waf on AWS ELB.
Does any one has any idea what will be the cause.
I have tried removing multiple rules from waf and found out below rules which causing the issue. Does anyone have idea about this ruleset.
AWS#AWSManagedRulesSQLiRuleSet#GenericRFI_BODY,
AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY and
AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY.
Check the documentation below to allow the integration between site24x7 and AWS WAF.
https://www.site24x7.com/help/aws/waf-integration.html
Related
I am trying to setup AWS Cloudfront distribution and route traffic from one of my subdomains to Cloudfront.
As per AWS documentation, I created and added a certificate to Cloudfront, then define alternative domain with that subdomain. However I always encountered this error:
I have checked thoroughly that I do not have another CNAME record which is associated with that subdomain.
I also tried to follow this guide from AWS to find any conflicting alias setup: https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cnamealreadyexists-error/
but the problem is that my aws cli doesn't even have list-conflicting-aliases command. I am really stuck here. Any help will be appreciated. Thanks.
You will get this error if you've already used this subdomain in another AWS account.
Delete previous CloudFront distribution in that AWS account before you can create CloudFront distribution in the new account.
I have hosted a website using the LAMP stack in AWS Lightsail.
I am trying to enable SSL certificates for AWS Lightsail and custom DNS Cloudflare. I have already tried all the steps from 1-18 listed in the below article
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/verify-tls-ssl-certificate-using-dns-cname-https
Additionally, I added two CNAME records to my Cloudflare one for the root domain and the other for the www subdomain with a target as the Lightsail Load balancer and proxy status as proxied (tried DNS only).
I have tried all the possible combinations to make it work however, even after a couple of days status is showing as validation in progress.
Just wanted to check if anyone else had faced the same problem or if someone can suggest some troubleshooting steps or if I have missed anything?
Thanks in advance!
Regards,
Piyush
Try adding a CAA record pointing to amazon.com in your Cloudflare DNS settings. Then create the TLS certificate from your Lightsail load balancer page.
If the above doesn't work I suggest you install AWS CLI and perform a aws lightsail get-load-balancer-tls-certificates. The response will show a failureReason field which will help you investigate. For example if the failureReason field returns "CAA_ERROR", then adding CAA records as I descibed above will solve the problem.
get-load-balancer-tls-certificates' documentation: https://docs.aws.amazon.com/cli/latest/reference/lightsail/get-load-balancer-tls-certificates.html
Actually, I made a mistake while creating the CNAME record hence, it was not validated. After removing some additional fields from the string, worked!
Thanks
On AWS we have 2 Elastic Beanstalk instances and one S3 bucket for a static website. Since app used Login With Amazon we added https protocol. Recently we moved a domain to Route 53, created SSL certificates and configured Load Balancers with https for each of instances.
The website/elastic instances work well when addressed to generic by AWS domains.
But we faced with a problem when using the created domain on route 53. Sometimes domain is not available and we don't know why (see attached video). Failed to open route 53 domain
This issue reproduces on Safari when you refresh a web page many times and our servers become unavailable. We spent 1 week trying to fix this problem without any success. The real problem is that we don't even know what can be a reason. Any thoughts?
Thanks for any response!
As I can see from your domain informations you are pointing to an AWS IP-Address with an A-Record.
You should point your domain as "CNAME" to the AWS Url.
The IP of your Elastic Beanstalk Instances can change, the Elastic Beanstalk Url does not.
Greetings
Dominik
Resolved with this answer on AWS forum
https://forums.aws.amazon.com/thread.jspa?threadID=295461
Updated:
Unfortunately, the link is broken and I can't remind myself how it was fixed. It was a few years ago...
In my logs for my Elastic Beanstalk App I keep seeing "GET /aetn-heartbeat.html HTTP/1.1" 404 158 "-" "Varnish/2.1+fastly (healthcheck)"
The load balancer is working fine, but the health of my ELB is constantly showing degraded health because of these 404 errors and it's a bit confusing. My question is: Do I ignore these 404s? Figure out a way to block these requests? Or is there a real issue that should be addressed?
AWS is open cloud environment. By which I mean you can get all sort of requests from all around the world, Maybe the IP address (or even the DNS name) assigned to your AWS EB environment was hard coded in someones application around the world. Or even worse someone is trying to hack in. That's the only reason AWS promotes its shared responsibility model.
You can get all sort of requests from anywhere around the world. A better way to block them is to use AWS WAF and allow only the urls you want to pass through. You can find 2 common ways of using AWS WAF with EB
Associate the AWS WAF with ALB
Use AWS WAF with AWS cloudfront and ELB
Secondly you can also handle this on code level and do not send 404 if AWS is hard to implement. But I'll recommend using AWS WAF
Is it possible to restrict specific HTTP METHODS at elb level?
we want to allow only HTTP GET through AWS elb.
I checked AWS docs and googled but didn’t find any appropriate solution.
If it is not possible, is there any other AWS component using which we can achieve it?
We just want to restrict GET calls alone go through ELB , so that the consumers can only retrieve data.
Thanks a lot for your help.
No you cannot achieve HTTP method restriction from load balancer. But you can achieve that using AWS Cloud Front.
What you can do is create a Cloud Front distribution using the ELB as the origin and select just the GET method in the "Allowed HTTP Method" in Cloud Front Distribution setting. Check screenshot below.