2.168.0

enum DesyncMitigationMode

LanguageType name
.NETAmazon.CDK.AWS.ElasticLoadBalancingV2.DesyncMitigationMode
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awselasticloadbalancingv2#DesyncMitigationMode
Javasoftware.amazon.awscdk.services.elasticloadbalancingv2.DesyncMitigationMode
Pythonaws_cdk.aws_elasticloadbalancingv2.DesyncMitigationMode
TypeScript (source)aws-cdk-lib » aws_elasticloadbalancingv2 » DesyncMitigationMode

How the load balancer handles requests that might pose a security risk to your application.

See also: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode

Example

declare const vpc: ec2.Vpc;

const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
  vpc,
  internetFacing: true,

  // Whether HTTP/2 is enabled
  http2Enabled: false,

  // The idle timeout value, in seconds
  idleTimeout: Duration.seconds(1000),

  // Whether HTTP headers with header fields thatare not valid
  // are removed by the load balancer (true), or routed to targets
  dropInvalidHeaderFields: true,

  // How the load balancer handles requests that might
  // pose a security risk to your application
  desyncMitigationMode: elbv2.DesyncMitigationMode.DEFENSIVE,

  // The type of IP addresses to use.
  ipAddressType: elbv2.IpAddressType.IPV4,

  // The duration of client keep-alive connections
  clientKeepAlive: Duration.seconds(500),

  // Whether cross-zone load balancing is enabled.
  crossZoneEnabled: true,

  // Whether the load balancer blocks traffic through the Internet Gateway (IGW).
  denyAllIgwTraffic: false,

  // Whether to preserve host header in the request to the target
  preserveHostHeader: true,

  // Whether to add the TLS information header to the request
  xAmznTlsVersionAndCipherSuiteHeaders: true,

  // Whether the X-Forwarded-For header should preserve the source port
  preserveXffClientPort: true,

  // The processing mode for X-Forwarded-For headers
  xffHeaderProcessingMode: elbv2.XffHeaderProcessingMode.APPEND,

  // Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
  wafFailOpen: true,
});

Members

NameDescription
MONITORAllows all traffic.
DEFENSIVEProvides durable mitigation against HTTP desync while maintaining the availability of your application.
STRICTESTReceives only requests that comply with RFC 7230.

MONITOR

Allows all traffic.

DEFENSIVE

Provides durable mitigation against HTTP desync while maintaining the availability of your application.

STRICTEST

Receives only requests that comply with RFC 7230.

PreviousNext