2

I'm using AWS WAF v2 and ALB for geoblocking, the setup was done and can block the specific country. but is it possible to change the 403 error page on AWS WAF v2 ? currently it's plain text in the middle said 403 Forbidden. Thank you

Alex Chandra
  • 31
  • 1
  • 5

3 Answers3

2

Yes it is possible to do this using Lambda@Edge. Lambda@Edge is an extension of AWS Lambda, a compute service that lets you execute functions that customize the content that CloudFront delivers. You can author Node.js or Python functions in one Region, US-East-1 (N. Virginia), and then execute them in AWS locations globally that are closer to the viewer, without provisioning or managing servers.

Take a look at: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-update-error-status-examples

Example: Using an Origin-Response Trigger to Update the Error Status Code to 302-Found from the link above is exactly what you want to set up to redirect your 403 errors coming from the CloudFront origin to custom/different webpage.

abc123
  • 527
  • 5
  • 16
0

Unfortunately there is no way to do this with just WAF and ALB.

If you were to add CloudFront in front (which also supports WAF) you could make use of custom error pages with CloudFront to display a nicer response to the user.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Hi Chris, Thanks for your reply, just to confirm so there will be 2 WAF settings first for Cloudfront and second for ALB ? – Alex Chandra Jul 13 '20 at 08:39
  • You would either move the WAF to your CloudFront distribution, or just add CloudFront in front. Bare in mind any IP based rules in your ALB will need to be updated if CloudFront is in front to take advantage of using the X-Forwarded-For – Chris Williams Jul 13 '20 at 08:45
  • Hi Chris, Sorry one more question. so currently I'm using ALB based on subdomain for example : x1.abc.test.com , x2.abc.test.com, etc. does it possible to use cloudfront with that ALB configuration ? I've searched but couldn't find any related with this, the one I can find only cloudfront setting with ELB (classic). so I'm stucked on configuring Cloudfront and ALB right now. really much appreciated for your help :) – Alex Chandra Jul 15 '20 at 01:44
  • As long as everything is going to the same origin (same ALB) you can choose multiple alternative domain names: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html. This can be done during creation or after. – Chris Williams Jul 15 '20 at 06:30
  • 1
    Hi Chris, thanks for your help, finally it's working now, the main issue related with alternate domain name. now i can moved to implement "X-forwarded-for". once again thanks! – Alex Chandra Jul 15 '20 at 07:50
0

I know this question was asked over 3 years ago but wanted to post this answer so anyone searching on this topic can find it!

As of March 2021, WAFv2 supports CustomResponse feature that can be used to return a different HTTP code instead of the standard 403. It also allows for sending a custom response body.

https://aws.amazon.com/about-aws/whats-new/2021/03/aws-waf-adds-support-custom-responses/

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-customresponse.html

vjgn
  • 334
  • 1
  • 2
  • 8