9

My ELB keeps taking my instances out of service, because the HTTP health check is failing.

We have a DNS wildcard, and redirect everything to www:

vhost.conf:

ServerName www.example.com
ServerAlias *.example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule ^ http://www.example.com/$1 [R=301,L]

This works fine for actual browsers, but the HTTP health check to / fails, presumably because it's getting a 302.

Is the best option to use a TCP health check, or is there a way to get HTTP to work?

chris
  • 3,933
  • 6
  • 26
  • 35
  • Just use a TCP health check until AWS allows for customizing the host header sent for the health check. Even with a default entry on your webserver you are not actually checking the health of your app, just your webserver which is pretty much the same as checking if the tcp port is open. – Pykler Jun 03 '15 at 22:15

2 Answers2

13

This question has been asked on the AWS forums and the answer was to set up a default vhost that handles traffic on the bare IP address and doesn't do any redirects. This will mean that normal users who hit your IP address will not be redirected either.

You could alternatively specify the path part of the URL that you want the ELB to request and ignore that path by adding another RewriteCond:

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/health-check$
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who hit that URL will not be redirected.

You could also use the same technique to detect the User-Agent of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who spoof their User-Agent will not be redirected.

Or the internal IP address of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REMOTE_ADDR} !^10\.
RewriteRule ^ http://www.example.com/$1 [R=301,L]

For this option to work, you will require either mod_rpaf (for Apache 2.2) or mod_remoteip (for Apache 2.4) to modify the REMOTE_ADDR variable to contain the correct part of the contents of the X-Forwarded-For header. As long as you set that up correctly, it shouldn't be possible for a normal user to avoid the redirect response.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • The problem with setting up a default vhost is that the IP address is going to change each time a new instance is spun up or rebooted, and I would like my default AMI to include support for the health check. I'll look into the other options. – chris Jan 17 '13 at 15:37
  • The IP address check I included only checks that the IP address starts with `10.`. The rest of the parts of the IP address can change as much as they want and they will still be matched. The `10.*.*.*` (or 10.0.0.0/8) range of IP addresses are not routable over the internet. – Ladadadada Jan 17 '13 at 15:46
  • I am already using the remote IP to log the requestors IP address (as opposed to the ELB IP) so the 3rd option worked - thanks! – chris Jan 17 '13 at 17:01
0

Adding virtual hosts is not a good idea, since one has to restart httpd service for virtual hosts to get reflected. There is an alternative way of doing this

  1. Ignore the ELB Health Check path in .htaccess file
    separate all four parts of the dns name like follows
    elb_dns_name: elb-name.subnet_zone.elb.amazonaws.com
  2. For all the remaining urls have internal rewrite rules
    directory_scructure: code_folder/website

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !$ [NC]
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteRule ^(.*)$ /$1 [L,QSA]

This worked very well for me. Please suggest if there are better methods cheers!