1

I have deployed a redis container using Amazon ECS, behind an application load balancer. It seems the health checks are failing, though the container is running and ready to accept connections. It seems to be failing because the health check is HTTP, and redis of course isn't an http server.

# Possible SECURITY ATTACK detected. It looks like somebody is sending 
POST or Host: commands to Redis. This is likely due to an attacker 
attempting to use Cross Protocol Scripting to compromise your Redis 
instance. Connection aborted.

Fair enough.

Classic load balancers I figure would be fine since I can explicitly ping TCP. Is is feasible to use redis with ALB?

bluescores
  • 4,437
  • 1
  • 20
  • 34
  • Can you explain a bit more about why you want to run Redis behind a load balancer? Generally, if you are balancing among a set of Redis nodes, you would do this in the Redis client rather than a load balancer in this case. – Andy Shinn Oct 22 '17 at 16:21
  • @AndyShinn I don't need the load balancing, but I want a static point to access the redis instance so I can pass that to the web app configuration. A load balancer dns accomplishes this. Dynamic port mapping would be very nice for deploying several non-production redis instances in a single cluster. – bluescores Oct 24 '17 at 16:13
  • How did you resolve this, @bluescores? – San Dec 07 '20 at 15:07
  • 1
    @San This was years ago, I couldn't tell ya! Having grown my knowledge though, ALBs are Layer 7 load balancers, meaning they deal with HTTP/HTTPS only. A network load balancer operates at Layer 4 (TCP) and could probably be placed in front of Redis like I was trying to do. The NLB, being layer 4, is contextless, it just routes TCP traffic without evaluating or inspecting the packets. You can also use TCP (or HTTP/HTTPS) for the health check protocol with an NLB, which should succeed as RESP uses TCP client/server connections. – bluescores Jan 06 '21 at 20:45

3 Answers3

2

Change your health check to protocol HTTPS. All Amazon Load Balancers support this. The closer your health check is to what the user accesses the better. Checking an HTML page is better than a TCP check. Checking a page that requires backend services to respond is better. TCP will sometimes succeed even if your web server is not serving pages.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
1

Deploy your container with nginx installed and direct the health check to nginx handling port.

gsb22
  • 2,112
  • 2
  • 10
  • 25
0

I encountered a similar problem recently: My Redis container was up and working correctly, but the # Possible SECURITY ATTACK detected message appeared in the logs once every minute. The healthcheck was curl -fs http://localhost:6379 || exit 1; this was rejected by the Redis code (search for "SECURITY ATTACK").

My solution was to use a non-CURL healthcheck: redis-cli ping || exit 1 (taken from this post). The healthcheck status shows "healthy", and the logs are clean.

I know the solution above will not be sufficient for all parties, but hopefully it is useful in forming your own solution.

Pred
  • 676
  • 1
  • 7
  • 14