How to block loadbalancer forwarding to a specific path?

I have set up ALB loadbalancer. I want to prevent forwarding request towards a specific path like not to go to mydomain.com/admin/

The current Listeners set up look like below:

 1     Arn                     IF Path is /service/   forward to tg1

 last  HTTP80:default action   IF Requests otherwise not routed  forward to tg1

So I want to allow traffic only towards path: /service/ (mydomain.com/service/) not /admin/

How I can prevent traffic to a specific path that comes towards loadbalancer?

Any help would be appreciated.


Create an empty target group. Call it whatever you like, e.g. blackhole. Select the correct VPC if you have more than one. The rest of the parameters for the new target group can be left at their default values. Don't assign any instances to the target group.

Create a rule for each listener on your ALB, IF path is /admin* THEN Forward to blackhole. Put this as high on the list as it needs to be.

Illustration from AWS console creating the rule described here

Since 100% of the 0 targets in the target group will always be unhealthy, the ALB will always fail to deliver the request to a back-end, and thus will throw an error when any request matching this path arrives. The wildcard * matches 0 or more characters, so everything under this path is effectively denied by this rule.

$ curl -v xxxx.us-west-2.elb.amazonaws.com/admin
* About to connect() to xxxx.us-west-2.elb.amazonaws.com port 80 (#0)
*   Trying x.x.x.x... connected
> GET /admin HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: xxxx.us-west-2.elb.amazonaws.com
> Accept: */*
>
< HTTP/1.1 503 Service Temporarily Unavailable
< Server: awselb/2.0
< Date: Thu, 10 Aug 2017 16:38:15 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
<
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body bgcolor="white">
<center><h1>503 Service Temporarily Unavailable</h1></center>
</body>
</html>
* Connection #0 to host xxxx.us-west-2.elb.amazonaws.com left intact
* Closing connection #0

Granted, the error is not entirely truthful, since it's 503 Service Temporarily Unavailable rather than 403 Forbidden, but this does accomplish the purpose of blocking specific path patterns on ALB.


You could simply choose to return a fixed response of your choice instead of sending the request to an empty target group as @Michael - sqlbot suggested.

For more context here's the AWS announcement.

enter image description here