Skip to main content

📄 Host-Based WAF Rule for ALB

🎯 Objective

Block unwanted or bot traffic hitting the ALB directly via its AWS DNS name or public IP, while only allowing requests that use the valid application domain (solutions.example.co.in). Benefits:
  • Reduces 4XX noise in CloudWatch
  • Protects the application from direct scanning attempts

🔧 Approach

  • Use AWS WAF v2 Web ACL attached to the ALB.
  • Create a ByteMatch rule that inspects the Host header.
  • Allow requests only if the Host header exactly matches solutions.example.co.in.
  • Block everything else by setting the Web ACL default action to Block.

✅ Rule Definition (JSON)

{
  "Name": "AllowSolutionsHost",
  "Priority": 7,
  "Action": {
    "Allow": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AllowSolutionsHost"
  },
  "Statement": {
    "ByteMatchStatement": {
      "FieldToMatch": {
        "SingleHeader": {
          "Name": "host"
        }
      },
      "PositionalConstraint": "EXACTLY",
      "SearchString": "solutions.example.co.in",
      "TextTransformations": [
        {
          "Type": "LOWERCASE",
          "Priority": 0
        }
      ]
    }
  }
}

⚙️ Configuration Steps

  1. Navigate to AWS WAF → Web ACLs.
  2. Edit the Web ACL attached to your ALB.
  3. Add a new Rule → Rule builder → Custom request rule.
  4. Paste the JSON above or configure equivalent settings in the console.
  5. Set the Web ACL default action to Block.
  6. Place this rule at a higher priority than any managed rules.
  7. (Optional) Add additional Allow rules for other valid domains (e.g., api.example.co.in).

🛡️ Best Practices

  • Start in COUNT mode before enforcing to ensure no valid traffic is accidentally blocked.
  • If using multiple domains, define an OR condition or add separate rules for each.
  • Retain AWS Managed Rules (e.g., AWSManagedRulesCommonRuleSet) after the Host header rule for additional protection.
  • Monitor CloudWatch metrics for this rule to verify effectiveness.

🔍 Validation

Run test requests: 
curl -H "Host: solutions.example.co.in" https://<ALB-DNS>    # ✅ Allowed
curl https://<ALB-IP>                                         # ❌ Blocked
curl https://<ALB-DNS>                                        # ❌ Blocked if Host header invalid
  • Query Athena ALB logs post-deployment to confirm only valid Host requests pass through.

🎯 Expected Outcome

  • Bots and scanners hitting the ALB via IP or AWS-assigned DNS are blocked at the WAF layer.
  • Only legitimate traffic using solutions.example.co.in is processed.
  • CloudWatch 4XX error alarms show reduced false positives from bot noise.