@shinyaz

Network Firewall Proxy PreRequest rules work for HTTP even without TLS intercept

1 min read
#aws#network-firewall#networking#security

The Network Firewall Proxy docs say "Without TLS decryption, you can only filter based on IP in the pre-request phase." I assumed this meant no HTTP method filtering at all without TLS intercept.

Turns out, HTTP (non-TLS) POST requests are blocked even without TLS intercept.

Output
curl -X POST http://httpbin.org/post  → 403
curl -X POST https://httpbin.org/post → 403 (with TLS intercept)

The reason: HTTP clients send absolute-form requests (GET http://example.com/ HTTP/1.1) to the proxy, so the proxy can inspect request content directly. The docs statement only applies to HTTPS — HTTP headers are always visible to an explicit proxy.

See Network Firewall Proxy Hands-On — Enabling TLS Intercept with ACM PCA for details.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more