Using Basic Auth with an HTTP load balancer

[Kevin Sookocheff VA]

Hi,

I'm trying to use a basic authenticated app behind an HTTP load balancer. I'm having trouble configuring the health checks to find healthy instances on the basic auth service. As a workaround I authorized the specific health check ip addresses to not use basic auth but now the global forwarding rule also redirects through the same ip range as the health checks so anyone hitting the global forwarding rule IP address can bypass the authentication.

What I want to happen is one of three things:

1. Allow health checks to my app to go through unauthorized but prevent any other access.

or

2. Allow setting of basic auth headers in health checks.

or

3. Allow health checks to run on a different (unsecured) port than the main application.

Is there any guidance on how to accomplish this?

Thanks,

Kevin

[Gary Ling]

Hi Kevin,

Currently the HTTP-based health check of both HTTP LB and Networking LB strictly expects a status-200 in the response in order for the backend to indicate its good health. You definitely can add a new port to your server which doesn't require any auth to satisfy the health check pings.

For Network LB, the health check ping comes from IP 169.254.169.254. And For HTTP LB, it comes from IP block: 130.211.0.0/22. If you see requests coming from this IP block with no X-forwarded-for header in the HTTP LB, then you know it's health check for HTTP LB. For more, read here for extra headers that HTTP LB adds to a request.

Hope it helps.

Gary Ling

Product Manager