Search code examples
amazon-web-servicesnginxpassengeramazon-elb

How to avoid basic authentication for AWS ELB health-check with nginx configuration


I'm having a trouble trying to implement basic authentication for ELB healthcheck. I've searched quite a bit to figure out the nginx file configuration to avoid 401 error shown below, which ELB returns due to basic authentication

unhealthy in target-group hogehoge due to (reason Health checks failed with these codes: [401])

I've tried to modify nginx.conf so as to avoid it, but it doesn't work. The code below gives me [emerg] "server" directive is not allowed here error.

http {
    server {
        location / {
            if (!$http_x_forwarded_for) {
                auth_basic           'Please enter ID and password';
                auth_basic_user_file /usr/src/redmine/.htpasswd;
            }
        }
    }
}

How can I avoid 401 error by ELB healthcheck due to basic authentication?

Thanks for the help.


Solution

  • The easiest approach would be to create a location for the ELB, for example:

    location /elb-status {
      access_log off;
      return 200;
    }
    

    You will just need to change the Ping Path to be /elb-status

    If you want to see something on your browser while testing you may need to change the content-type since defaults to application/octet-stream and the browser will offer to save the file, so something like this should work:

    location /elb-status {
       access_log off;
       return 200 'your text goes here';
       add_header Content-Type text/plain;
    }
    

    If you would like to check against the user-agent something like this could be used:

    set $block 1;
    
    # Allow all the ELB health check agents.
    if ($http_user_agent ~* '^ELB-HealthChecker\/.*$') {
        set $block 0;
    }
    if (!$http_x_forwarded_for) {
        set $block 1
    }
    
    if ($block = 1) {
        auth_basic           'Please enter ID and password';
        auth_basic_user_file /usr/src/redmine/.htpasswd;
    }