we have an issue with implementing mTLS with cloudfront. We would like to route requests through cloudfront / WAF, to the api gateway custom origin using mTLS.
It looks like this use case is unsupported, wondering if there are any good workarounds or any other options we could use? We want to use cloudfront with the WAF, since WAF is not supported on the HTTP gateway.
If you trying ensure that all request go through Cloud Front you could inject a secret header and check it on the Http API with a lambda authorizer.
https://aws.amazon.com/blogs/networking-and-content-delivery/restricting-access-http-api-gateway-lambda-authorizer/
Related
Can we use Two Way SSL feature using AWS API Gateway ? We want to use API Gateway as proxy for kinesis in our real-time streaming application.
Below is my requirement
The client make request to apigateway and apigateway needs to put the data in kinesis streams.
The only way to authenticate the clients is using two way SSL. our clients doesnt support other options.
Currently on-premise F5 loadbalancer does this work for us and we have tomcats running behind F5 placing data into kinesis.
Will i be able to achieve the same using API Gateway ? looks like even aws ELB seems to be not supporting this option.
I have taken a look at below link but this to authenticate API Gateway at server not apigateway authenticating the client.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Regards
Kalyan
API Gateway can authenticate itself to your back-end with TLS, as you have found, but it does not work in the opposite direction -- it does not support authenticating clients with TLS.
I've configured a custom domain and certificate and hooked up the cloud functions api to my actions and this works fine.
Endpoints work over both https and http.
But I'd like to enforce https only. Something like "FORCE_HTTPS: true" in the static buildpack. Is there someway that I can do this?
You should get an X-Forwarded-Url header in the action itself that you could inspect to force HTTPS. Using that in conjunction with secure actions via the web_key annotation should make it enforceable.
In the future, the API Gateway may be able to enforce this for you via the configuration specified in the Open API doc.
Is there a way to use Basic authentication rather than AWS4-HMAC-SHA256 authentication with the AWS API Gateway Service? I need to support a system that only supports webhook calls with Basic Authentication.
You just need to modify the 401 Unauthorized response template so that it contains the WWW-Authenticate header set to 'Basic'. Apart from that, you'll need to create a custom authorizer that verifies that the provided credentials are correct. You can find more info here
You can configure an API Gateway to support Basic auth, and API Gateway supports integrations with any AWS service.
Setting up Basic auth in API Gateway requires a few steps. Check this post and search down to BobK#AWS response: https://forums.aws.amazon.com/thread.jspa?messageID=799091&tstart=0
I've added certificate with custom domain name map in AWS API gateway but it allows HTTP automatically, how can I block normal HTTP and only allows HTTPS?
All API Gateway APIs are fronted with a CloudFront distribution. Each of these CloudFront distributions (whether it's a Custom Domain like yours or the default *.execute-api distribution) is configured to redirect all HTTP requests to HTTPS. Although CloudFront has the option to strictly require HTTPS and return 403 on HTTP requests we currently don't expose this option for simplicity.
If you feel you have valid use case for requiring HTTPS without a redirect please open a support ticket and the team can evaluate your request.
Let's consider this simple scenario for the AWS API Gateway.
I have a resource with a request path variable /numbers/{id} and two http endpoints: http://odd.number.io and http://even.number.io.
How can I setup AWS API Gateway to route requests to one or the other endpoint when the id is an odd or an even number?
Is this possible?
That is not possible with API Gateway alone. You could proxy through a Lambda function where you can execute a logical decision, but API Gateway itself doesn't have support this kind of logical rule.