AWS ELB keeps showing private IP in Location header on redirect

Question

We are running a simple Rails 4.0 app (on Ubuntu 14.04) with config.force_ssl = true. SSL is uploaded to our ELB and both 443 and 80 ports on ELB forward to 80 on the servers.

We keep failing our PCI scan because with HTTP/1.0 the private IP of the ELB shows up in Location header. Any ides on how to fix this? I have researched this extensively for days and really stuck now.

$ telnet app.ourwebsite.com 80
GET / HTTP/1.0

HTTP/1.1 301 Moved Permanently
...
*Location: https://172.31.26.236/*
Server: nginx/1.6.2 + Phusion Passenger 4.0.57
Set-Cookie: AWSELB=...

Answer 1

The reason why it's failing PCI compliance is because the test being used, nessus plugin 10759 , uses HTTP 1.0 and doesn't send a host header, and the AWS ELB crafts its own host header when it connects to your instance and for whatever reason sets it to the internal IP of the load balancer.

Here's a capture of such a request using Apache's mod_forensics. Note the host header, which is set to the internal IP of the load balancer:

+11143:551306af:1|GET / HTTP/1.1|host:10.3.2.57|X-Forwarded-For: REDACTED |X-Forwarded-Port:443|X-Forwarded-Proto:https|Connection:keep-alive

This is how the request was made (on *nix using bash):

(echo -ne "GET / HTTP/1.0\r\n\r\n"; sleep 2) | openssl s_client -connect 1.2.3.4:443

Where 1.2.3.4 is the IP address of your ELB. You must craft the request like this because the ELB won't accept \\n\\n directly typed into openssl.

Note that the only header sent here was GET .

My site was failing a PCI scan, which lead me here, so I felt this needed further explanation.

Answer 2

It sounds like your ELB is receiving https and then forwarding on http. So your Rails server doesn't need to worry about SSL, since the only thing it's communicating with is the ELB.

(This is how we have it set up also.)

So you can remove config.force_ssl = true from your Rails server and make your ELB require SSL.