Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(elasticloadbalancingv2): application load balancer attributes #29586

Merged
merged 12 commits into from
Apr 8, 2024

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,26 @@
"Key": "routing.http.desync_mitigation_mode",
"Value": "defensive"
},
{
"Key": "routing.http.preserve_host_header.enabled",
"Value": "true"
},
{
"Key": "routing.http.x_amzn_tls_version_and_cipher_suite.enabled",
"Value": "true"
},
{
"Key": "routing.http.xff_client_port.enabled",
"Value": "true"
},
{
"Key": "routing.http.xff_header_processing.mode",
"Value": "preserve"
},
{
"Key": "waf.fail_open.enabled",
"Value": "true"
},
{
"Key": "client_keep_alive.seconds",
"Value": "1000"
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ new elbv2.ApplicationLoadBalancer(stack, 'LB', {
dropInvalidHeaderFields: true,
desyncMitigationMode: elbv2.DesyncMitigationMode.DEFENSIVE,
clientKeepAlive: cdk.Duration.seconds(1000),
preserveHostHeader: true,
xAmznTlsVersionAndCipherSuiteHeaders: true,
preserveXffClientPort: true,
xffHeaderProcessingMode: elbv2.XffHeaderProcessingMode.PRESERVE,
wafFailOpen: true,
});

new elbv2.ApplicationLoadBalancer(stack, 'DesyncMitigationModeMonitor', {
Expand Down
17 changes: 16 additions & 1 deletion packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,22 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
crossZoneEnabled: true,

// Whether the load balancer blocks traffic through the Internet Gateway (IGW).
denyAllIgwTraffic: false
denyAllIgwTraffic: false,

// Whether to preserve Host header in the request to the target
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: lowercase host

preserveHostHeader: true,

// Whether to add the TLS information header to the request
xAmznTlsVersionAndCipherSuiteHeaders: true,

// Whether the X-Forwarded-For header should preserve the source port
preserveXffClientPort: true,

// The processing mode for X-Forwarded-For headers
xffHeaderProcessingMode: elbv2.XffHeaderProcessingMode.APPEND,

// Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
wafFailOpen: true,
});
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ import { parseLoadBalancerFullName } from '../shared/util';

/**
* Properties for defining an Application Load Balancer
*
* @see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes
*/
export interface ApplicationLoadBalancerProps extends BaseLoadBalancerProps {
/**
Expand Down Expand Up @@ -68,6 +70,74 @@ export interface ApplicationLoadBalancerProps extends BaseLoadBalancerProps {
* @default - Duration.seconds(3600)
*/
readonly clientKeepAlive?: Duration;

/**
* Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: host

* and send it to the target without any change.
*
* @default false
*/
readonly preserveHostHeader?: boolean;

/**
* Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite),
* which contain information about the negotiated TLS version and cipher suite,
* are added to the client request before sending it to the target.
*
* The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client,
* and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client.
*
* Both headers are in OpenSSL format.
*
* @default false
*/
readonly xAmznTlsVersionAndCipherSuiteHeaders?: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add @see values with links to AWS docs?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@badmintoncryer Since the urls are the same, I think it'd make more sense to add the @see one time under Properties for defining an Application Load Balancer ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@msambol I was unable to retrieve links for each attribute and ended up entering the same URL...
I made the revisions just as you suggested!


/**
* Indicates whether the X-Forwarded-For header should preserve the source port
* that the client used to connect to the load balancer.
*
* @default false
*/
readonly preserveXffClientPort?: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

likewise for this and below, can you add @see ?


/**
* Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request
* before the Application Load Balancer sends the request to the target.
*
* @default XffHeaderProcessingMode.APPEND
*/
readonly xffHeaderProcessingMode?: XffHeaderProcessingMode;

/**
* Indicates whether to allow a WAF-enabled load balancer to route requests to targets
* if it is unable to forward the request to AWS WAF.
*
* @default false
*/
readonly wafFailOpen?: boolean;
}

/**
* Processing mode of the X-Forwarded-For header in the HTTP request
* before the Application Load Balancer sends the request to the target.
*/
export enum XffHeaderProcessingMode {
/**
* Application Load Balancer adds the client IP address (of the last hop) to the X-Forwarded-For header
* in the HTTP request before it sends it to targets.
*/
APPEND = 'append',
/**
* Application Load Balancer preserves the X-Forwarded-For header in the HTTP request,
* and sends it to targets without any change.
*/
PRESERVE = 'preserve',
/**
* Application Load Balancer removes the X-Forwarded-For header
* in the HTTP request before it sends it to targets.
*/
REMOVE = 'remove',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can you shorten these docs and move to multiple lines?

}

/**
Expand Down Expand Up @@ -129,6 +199,11 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
if (props.idleTimeout !== undefined) { this.setAttribute('idle_timeout.timeout_seconds', props.idleTimeout.toSeconds().toString()); }
if (props.dropInvalidHeaderFields) {this.setAttribute('routing.http.drop_invalid_header_fields.enabled', 'true'); }
if (props.desyncMitigationMode !== undefined) {this.setAttribute('routing.http.desync_mitigation_mode', props.desyncMitigationMode); }
if (props.preserveHostHeader) { this.setAttribute('routing.http.preserve_host_header.enabled', 'true'); }
if (props.xAmznTlsVersionAndCipherSuiteHeaders) { this.setAttribute('routing.http.x_amzn_tls_version_and_cipher_suite.enabled', 'true'); }
if (props.preserveXffClientPort) { this.setAttribute('routing.http.xff_client_port.enabled', 'true'); }
if (props.xffHeaderProcessingMode !== undefined) { this.setAttribute('routing.http.xff_header_processing.mode', props.xffHeaderProcessingMode); }
if (props.wafFailOpen) { this.setAttribute('waf.fail_open.enabled', 'true'); }
if (props.clientKeepAlive !== undefined) {
const clientKeepAliveInMillis = props.clientKeepAlive.toMilliseconds();
if (clientKeepAliveInMillis < 1000) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,11 @@ describe('tests', () => {
dropInvalidHeaderFields: true,
clientKeepAlive: cdk.Duration.seconds(200),
denyAllIgwTraffic: true,
preserveHostHeader: true,
xAmznTlsVersionAndCipherSuiteHeaders: true,
preserveXffClientPort: true,
xffHeaderProcessingMode: elbv2.XffHeaderProcessingMode.PRESERVE,
wafFailOpen: true,
});

// THEN
Expand All @@ -110,6 +115,26 @@ describe('tests', () => {
Key: 'routing.http.drop_invalid_header_fields.enabled',
Value: 'true',
},
{
Key: 'routing.http.preserve_host_header.enabled',
Value: 'true',
},
{
Key: 'routing.http.x_amzn_tls_version_and_cipher_suite.enabled',
Value: 'true',
},
{
Key: 'routing.http.xff_client_port.enabled',
Value: 'true',
},
{
Key: 'routing.http.xff_header_processing.mode',
Value: 'preserve',
},
{
Key: 'waf.fail_open.enabled',
Value: 'true',
},
{
Key: 'client_keep_alive.seconds',
Value: '200',
Expand Down