In AWS X-Ray if request starts with API Gateway - it populates trace with request info, such as URL or method. But if request initiates with ALB - only trace ID is supplied.
Is there a way supply information similar to API Gateway?
From the documentation:
Elastic Load Balancing application load balancers add a trace ID to
incoming HTTP requests in a header named X-Amzn-Trace-Id.
Load balancers do not send data to X-Ray, and do not appear as a node
on your service map.
It looks like if you wanted more information about the request you could possibly tie that back to a record in the Load Balancer's access log.
Related
If i make a POST request to API gateway endpoint (configured to handle POST calls), by using AWS console how can i identify which AWS service (lambda/fargate/etc) is configured as request handler for that endpoint.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-basic-concept.html
suggest For Integrations, choose Add integration.
But how can i find handlers/integration for an existing endpoint.
I am only able to identify Invoke URL and lambda service used as authenticator. OR do i need to manually check each Application load balancer ?
If you would like to add Integrate with ALB, you could select the HTTP in Integration Request > Integration Type and input the ALB DNS into Endpoint URL.
Check out this image: Integration Request
I have two services running Cloud Run such as api1 and api2.
I set up a global external HTTP(S) load balancer (classic) in GCP to route the path to both services.
such as
Paths
Action
Backend
/api1/*
Route traffic to a single backend
service-api1
/api2/*
Route traffic to a single backend
service-api2
When I send a request mydomain/api1/aaa/ccc/, api1 get the request url as mydomain/api1/aaa/ccc/
When I send a request mydomain/api2/ddd/eee/, api2 get the request url as mydomain/api2/ddd/eee/
Is there a way to rewrite the incoming request for api1, so that api1 will see the request as mydomain/aaa/ccc/?
This also apply to api2, so api2 will see the request as mydomain/ddd/eee/
From the Rewrite documentation,
The load balancer provides the following mutually exclusive primary
actions:
Reads the incoming URL in the request.
Replaces the host, the path, or both the host and the path, transforming the URL before directing traffic to the backend service
or backend bucket.
I think there is a way, but I don't manage to make it work.
Any advice?
In load balancing console page
Select Advanced host and path rule (URL redirect, URL rewrite) in Host and path rules
Add a path rule and edit path rule as below (show Add-On action)
Save and update the changes.
When you send a request mydomain/api1/aaa/ccc/, api1 will see the request as mydomain/aaa/ccc/.
I am trying to set Listener rules on an ALB. I want to add Google Oauth support to one of my servers.
Here are the Google endpoints I am using
I see google auth page alright, but on the callback url I'm seeing 500 Internal Server Error. I've also set the callback URL. Am at a loss as to what's wrong here. Any help is most appreciated!
After authentication, I'm not redirecting to my application, instead I've set ALP to show a text based simple response.
I struggled with the same problem for hours, and in the end it turned out to be the user info endpoint that was wrong. I was using the same one as you, but it should be https://openidconnect.googleapis.com/v1/userinfo.
I haven’t found any Google documentation saying what the value should be, but found this excellent blog post that contained a working example: https://cloudonaut.io/how-to-secure-your-devops-tools-with-alb-authentication/ (the first example uses Cognito, but the second uses OIDC and Google directly).
From AWS documentation
HTTP 500: Internal Server Error
Possible causes:
You configured an AWS WAF web access control list (web ACL) and there was an error executing the web ACL rules.
You configured a listener rule to authenticate users, but one of the following is true:
The load balancer is unable to communicate with the IdP token endpoint or the IdP user info endpoint. Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.
The size of the claims returned by the IdP exceeded the maximum size supported by the load balancer.
A client submitted an HTTP/1.0 request without a host header, and the load balancer was unable to generate a redirect URL.
A client submitted a request without an HTTP protocol, and the load balancer was unable to generate a redirect URL.
The requested scope doesn't return an ID token.
I have configured aws cloudfront access logs and aws application load balancer access logs. Now they logs every query string. But I have password value in the query string as well and that value I would like to mask or hide. Is it possible in aws application load balancer access logs or cloudfront logs
CloudFront and ALB do not provide a way to suppress this logging... but sensitive data does not belong in the query string.
See, for example, the OWASP article on Information Exposure through Query Strings in URL for further information on this vulnerabity and this post on Information Security Stack Exchange.
Amazon introduced support for Request Tracing in 2016 for all of its Application Load Balancers (ALBs).
How are Access Logging, Request Tracing and CloudTrail logging, different from each other?
When to use what?
How is one better than the other and under what circumstances?
CloudTrail logs API calls within your account. Load balancer log files log HTTP client requests to your load balancer (e.g. web traffic). Very different types of information.
Load Balancer access logs record information about who, where and what HTTP requests are being made from clients. This information is useful for traffic analysis.
Request Tracing adds a custom header X-Amzn-Trace-Id into the request to your origin (typically a web server). This is used to trace (track) requests thru your origin servers.