Denial of responsibility:
This section is for HTTP traffic (on the Linux platform). Maybe there is a good solution with ELB (with a reasonable price for everyone) for the problem below. But for now I can’t find. That's why I need expert advice.
Problem:
I used AWS Elastic Load Balancing (ELB) for many years . And suddenly I realized that there was a huge (and critical for me) disadvantage of ELB .., which should block incoming connections over IP .
Since after you are behind the ELB, your internal server firewalls (for example:) are iptablesuseless already because all forwarded traffic from the ELB is marked as ELB IP (and not the real IP address of the client). ELB only redirects the IP address of the real client, as in the X-Forwarded-Forhttp header, which is useless for iptables. (If you cannot assume that there is a Linux firewall, such as iptablesthat, which can also handle HTTP traffic with an XFF (X-Forwarded-For) header inside.)
I understand that this is the normal behavior of such reverse proxies, but I need to install a firewall! I know that AWS suggests using VPC and Network ACL rules to block incoming IP connections. But NACLs have rules restrictions ! (AWS allows a total of a maximum of 40 rules in the NACL)
Imagine that you are using a public website with high traffic, and then block many incorrect IP addresses every day. How do these 40 rules help?
Need advice:
I'm starting to think about using Nginxas a load-balancer (on a separate instance). I used to Nginx, and this is promising. And, of course, you can replace the ELB. And then:
iptables Nginx ! (, LB + Firewall)
,
.