I have an EC2 instance behind an AWS Application Load Balancer, running apache 2.4
The health check is configured to do a GET on /health/
I have virtual hosts configured, and two vhost entries – one with the servername, and one to handle incoming requests directly to the IP address. aaa_first should be loaded first, and therefore be the default.
However, when I go directly to the public IP of the instance, I get the default apache welcome page, and the health check gets a 403:
"GET /health/ HTTP/1.1" 403 199 "-" "ELB-HealthChecker/2.0"
aaa_first.conf contains:
<VirtualHost *:80>
ServerName aaa
<Location /var/www/html>
Require all denied
</Location>
<Location /var/www/html/health>
Require ip 10.151.0.0/20
Require all denied
</Location>
CustomLog logs/0000_access.log combined-elb-host
</VirtualHost>
default.conf contains:
<VirtualHost *:80>
ServerName host.example.com
DocumentRoot /var/www/html
DirectoryIndex index.html
ErrorLog logs/error.log
CustomLog logs/access.log combined-elb-host
<Directory "/var/www/html">
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
What do I need to ensure that requests to the IP are blocked, except for the health checks coming from the ELB?
Best Answer
Change
<Location /var/www/html/health>
to<Location /health>
.Location
matches against URL not filesystem paths. From the docs: