Can we use Two Way SSL feature using AWS API Gateway ? We want to use API Gateway as proxy for kinesis in our real-time streaming application.
Below is my requirement
The client make request to apigateway and apigateway needs to put the data in kinesis streams.
The only way to authenticate the clients is using two way SSL. our clients doesnt support other options.
Currently on-premise F5 loadbalancer does this work for us and we have tomcats running behind F5 placing data into kinesis.
Will i be able to achieve the same using API Gateway ? looks like even aws ELB seems to be not supporting this option.
I have taken a look at below link but this to authenticate API Gateway at server not apigateway authenticating the client.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Regards
Kalyan
API Gateway can authenticate itself to your back-end with TLS, as you have found, but it does not work in the opposite direction -- it does not support authenticating clients with TLS.
Related
I have a list of API's running in kubernetes behind a service (under different paths). Azure is our identity provider, and our clients are using client-credentials OAuth2 flow to generate the OAuth token and send to API, where authorization checks take place. Each of our APIs needs a different SLA for each user. Hence I am looking to rate-limit the API's per client-id that is encoded in the token (azp is the claim under which client-id is present for Azure v2.0 tokens)
We are already using Envoy as ingress gateway in our kubernetes cluster, but that supports only global or per-ip rate-limiting. We also looked at nginx, but did not find much difference. ChatGPT suggested other gateways like Tyk and Apigee-edge, but they don't seem to have this functionality. The closest suggestion given was to use Kong gateway, which rate-limits based on consumer-groups (but I did not find anything in Kong documentation about per OAuth client rate-limiting, or how a consumer can map to client-id).
Does any API gateway support such rate-limiting feature?
You can extend nginx with Lua scripting. I've not used it for this specifically, but it occurs to me that you can run a Lua script to parse the JWT and then use the client-id as the zone key for the normal nginx rate-limiting feature.
I cannot for the life of me get the AWS API Gateway HTTP Proxy to work, i.e. redirect http://<my-domain>.com to https://<my-domain>.com. Here is how I set it up:
Using the Test functionality on the ANY method inside the resource works. But if I simply do curl http://<my-domain>.com or run http://<my-domain>.com in Chrome, it fails to connect; https://<my-website>.com works just fine. I'm driving myself crazy trying to figure out what I'm missing here; it seems like it should just redirect http://<my-domain>.com to https://<my-domain>.com, but it doesn't (even on different devices).
So, it turns out that API Gateway's HTTP Proxy allows HTTPS traffic to go to an HTTP endpoint, but not the reverse. In fact, API Gateway won't even establish a connection on port 80; from the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS
endpoints only. Amazon API Gateway does not support unencrypted (HTTP)
endpoints.
API Gateway doesn't support unencrypted HTTP traffic. Here are the possible options you can do to secure your website:
If you have access to the server that hosts the website, install an SSL certificate to the webserver.
If the website is hosted on EC2, you can set up a load balancer and let it do the SSL termination.
we are using konghq as an API gateway for one of our customers but we are very new to it and therefore don't know how to tackle this authentication issue.
We have to authenticate our services with a SAML token. Our micro services are behind kong which is running on an EC2. The authentication process should be an independent micro services which validates the token from the request and it’s contents against another system. Instead of a service it could also be some serverless function on a k8s cluster. We don't want to use a lambda to stay cloud agnostic.
We were previously using AWS API gateway and lambda authorizers to tackle the scenario. The authorizer validated the token and took care of the authentication process.
I searched all the Kong forums and google but couldn't find a SAML plugin. Most similar is the JWT plugin but it won't work for us.
Is there something similar in Kong or is there development on Kong involved? If yes, are there any existing plugin which are similar or any tutorials related.
All help is greatly appreciated.
Thanks
Oldfighter
Question
Is there a specific reason why API Gateway requires the HTTP/S client to support SNI?
Which AWS document clearly states the SNI requirement?
About Question 2
I believe SNI is an extension to TLS and TLS version 1.2 does not require to support SNI as far as I looked into RFC. TLS 1.3 requires it as mandatory but it looks AWS API Gateway has not adopted 1.3 yet as per the AWS document Supported SSL/TLS Protocols and Ciphers for Regional, Private, and WebSocket API Endpoints in API Gateway.
Hence, I suppose enforcing SNI, if AWS API Gateway actually does so, seems to be AWS specific requirement or limitation to be clearly noted, but so far I could not find the AWS documentation stating as such.
Hence I believe there should be an AWS documentation which states below, but please correct if wrong.
HTTP/S client to use API gateway must support SNI
For SNI unsupported HTTP/S client, use CloudFront (or other ways if available) and do not forward HOST header.
References
Unable to invoke AWS API Gateway GET URL with GPRS connection
API Gateway requires a https connection with a client that support server name indicator (SNI)
How do you add CloudFront in front of API Gateway
You can indeed put CF dist in front of APIG, the trick is to force HTTPS only "Viewer Protocol Policy" AND to NOT forward the HOST header because APIG needs SNI.
As far as I know SNI is not required for the API Gateway, this is a configuration option, but not a requirement.
The documentation I once used to understand a similar scenario clearly states that SNI is an option, but a dedicated IP address can be used to support users that can't use a modern TLS client (browser) which support SNI.
Server Name Indication (SNI) is one way to associate a request with a
domain. Another way is to use a dedicated IP address. If you have
users who can't upgrade to a browser or client released after 2010,
you can use a dedicated IP address to serve HTTPS requests.
Per your question I will assume your API Gateway is configured to use SNI with CloudFront, since as also described in the following API Gateway documentation:
API Gateway supports edge-optimized custom domain names by leveraging
Server Name Indication (SNI) on the CloudFront distribution.
I have created an API via basic secure connector (SOAP). The API works but I am wondering why I can't retrieve the endpoint URL from VCAP_SERVICES. Anything I miss here?
Are you using the secure connector portion of the Cloud Integration service in Bluemix? You might want to try the Secure Gateway service, which is newer and is basically just the secure connector as a standalone service without the rest of Cloud Integration.
"Reaching enterprise backend with Bluemix Secure Gateway via console" explains how to set up a Secure Gateway instance. When you create a destination, that creates an integration.ibmcloud.com URL that your app can then use to connect to your destination via the gateway. The gateway is a proxy, preserving the interface, so the cloud host URL has the same API as the destination host.