19

I am trying to deploy a simple web application written using Play Framework in Scala to Amazon web service.

The web application is running OK in development mode and production mode in my local machine, and I've changed its default port to 80.

I used Boxfuse to deploy to AWS as suggested.

I first run "sbt dist" then "boxfuse run -env=prod"

Things went well as desired. The image is fused and pushed to AWS. AMI is created. Instance was started and my application was running.

i-0f696ff22df4a2b71 => 2017-07-13 01:28:23.940 [info] play.api.Play - Application started (Prod)

Then came the error message:

WARNING: Healthcheck (http://35.156.38.90/) returned 400 instead of 200. Retrying for the next 300 seconds ...

i-0f696ff22df4a2b71 => 2017-07-13 01:28:24.977 [info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:80

i-0f696ff22df4a2b71 => 2017-07-13 01:28:25.512 [warn] p.f.h.AllowedHostsFilter - Host not allowed: 35.156.38.90

The instance was terminated after repeated try after 3 minutes. It gave a warning like:

Ensure your application responds with an HTTP 200 at / on port 80

But I've made sure the application responds in local machine, and I tried both Windows and Ubuntu, all works well.

Also, running "boxfuse run" on local machine, I can connect to it using "http://localhost", but still have the error.

Hope someone with experience can give me some suggestions. Thanks in advance.

ps: not sure if relevant, I added these settings to application.conf

http {
        address = 0.0.0.0
        port = 80
    }
Haijin
  • 2,561
  • 2
  • 17
  • 30

2 Answers2

36

Judging from the error message, it looks like the problem might be related to play.filters.hosts.allowed not set up in application.conf. The filter lets you configure which hosts can access your application. More details about the Play filter is available here.

Here's a configuration example:

play.filters.hosts {
  allowed = ["."]
}

Note that allowed = ["."] matches all hosts hence would not be recommended in a production environment.

Leo C
  • 22,006
  • 3
  • 26
  • 39
  • 1
    Is this secure? – coolboyjules May 01 '18 at 19:53
  • 1
    Certainly not a cure-all security solution, but host access filtering measures like this do help secure against attacks such as web [cache poisoning attacks](http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html). – Leo C May 01 '18 at 20:13
  • Thanks. I ask this because I see this in the play documentation: "You can use the . pattern to match all hosts (not recommended in production). Note that the filter also strips the dot character from the end of the host, so the example.com pattern will match example.com." I have a feeling this is tough in a elastic beanstalk environment since it's not always clear what the host is... – coolboyjules May 01 '18 at 20:27
  • I see. Thanks for pointing it out. `allowed = ["."]` was meant to be a simple (and lazy) configuration to address OP's access problem. It's definitely worth noting that such configuration should be avoided in a production environment. Answer updated. – Leo C May 01 '18 at 20:43
  • so ideally, the filter should have entry "35.156.38.90"?? or a url ? – Manu Chadha Jul 03 '20 at 12:32
  • @Manu Chadha, yes. Examples for specific host(s) can be found in [Play's doc](https://www.playframework.com/documentation/latest/AllowedHostsFilter). – Leo C Jul 04 '20 at 21:53
24

As stated in the Boxfuse Play Documentation:

If your application uses the allowed hosts filter you must ensure play.filters.hosts.allowed in application.conf allows connections from anywhere as this filter otherwise causes ELB healthchecks to fail. For example:

play.filters.hosts {
  allowed = ["."]
}

More info in the official Play documentation.

Axel Fontaine
  • 34,542
  • 16
  • 106
  • 137