How should I configure my ELB health check when using NameVirtualHosts and redirecting to www?
This question has been asked on the AWS forums and the answer was to set up a default vhost that handles traffic on the bare IP address and doesn't do any redirects. This will mean that normal users who hit your IP address will not be redirected either.
You could alternatively specify the path part of the URL that you want the ELB to request and ignore that path by adding another RewriteCond:
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/health-check$
RewriteRule ^ http://www.example.com/$1 [R=301,L]
Normal users who hit that URL will not be redirected.
You could also use the same technique to detect the User-Agent of the ELB.
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule ^ http://www.example.com/$1 [R=301,L]
Normal users who spoof their User-Agent will not be redirected.
Or the internal IP address of the ELB.
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REMOTE_ADDR} !^10\.
RewriteRule ^ http://www.example.com/$1 [R=301,L]
For this option to work, you will require either mod_rpaf (for Apache 2.2) or mod_remoteip (for Apache 2.4) to modify the REMOTE_ADDR variable to contain the correct part of the contents of the X-Forwarded-For header. As long as you set that up correctly, it shouldn't be possible for a normal user to avoid the redirect response.
Related videos on Youtube
16 : 45
05 : 05
15 : 48
11 : 26
02 : 32
chris
Updated on September 18, 2022Comments
-
chris over 1 year
My ELB keeps taking my instances out of service, because the HTTP health check is failing.
We have a DNS wildcard, and redirect everything to www:
vhost.conf:
ServerName www.example.com ServerAlias *.example.com RewriteEngine on RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC] RewriteRule ^ http://www.example.com/$1 [R=301,L]This works fine for actual browsers, but the HTTP health check to / fails, presumably because it's getting a 302.
Is the best option to use a TCP health check, or is there a way to get HTTP to work?
-
Pykler almost 9 yearsJust use a TCP health check until AWS allows for customizing the host header sent for the health check. Even with a default entry on your webserver you are not actually checking the health of your app, just your webserver which is pretty much the same as checking if the tcp port is open.
-
-
chris over 11 yearsThe problem with setting up a default vhost is that the IP address is going to change each time a new instance is spun up or rebooted, and I would like my default AMI to include support for the health check. I'll look into the other options.
-
Ladadadada over 11 yearsThe IP address check I included only checks that the IP address starts with
10.. The rest of the parts of the IP address can change as much as they want and they will still be matched. The10.*.*.*(or 10.0.0.0/8) range of IP addresses are not routable over the internet. -
chris over 11 yearsI am already using the remote IP to log the requestors IP address (as opposed to the ELB IP) so the 3rd option worked - thanks!
