My API endpoint type is edge-optimized. I have a custom domain name API like www.example.com and I want to add a new CloudFront which to block specific countries request in front of my API Gateway.
How to add a new CloudFront in front of my API Gateway and use the same domain name (www.example.com)? I am confused. Is it possible to do that?
Any advice will be appreciated.
Yes it is possible to do that. You should follow the following steps.
Create a origin for your API Gateway inside your CloudFront
distribution. There you should enter the endpoint of your API Gateway
for the origin domain name.
Then you need to create a behavior inside
the CloudFront distribution which forwards requests that match a
specific path pattern to your API Gateway. (Make sure that you put
the Minimum TTL to as 0, since we don't want to cache the the API
requests)
See the following documentation for further reference.
Custom origins
Cache behaviors
Related
I have an api gateway with custom domain names set up, it works fine if I visit the custom domain name but if I visit the API Gateway domain name (https://xxxxx.execute-api.us-west-2.amazonaws.com) directly I just got:
{"message":"Forbidden"}
My understanding is that custom domain name here is just like an alias to the original API Gateway domain name and is just a prettier name for it so I should be invoking the api gateway by either of them?
API Gateway REST can be invoked in two different ways.
Directly with execute api invoke URL suffixed by stage name.
Example: https://ab11cde222.execute-api.us-east-1.amazonaws.com/dev , where ab11cde222 is api id and dev is stage name.
Custom Domain: Adding a custom domain with in API Gateway and API mapping pointing to a particular stage and a route53 A record entry for hosted zone.
Since we can point the domain directly to a stage in api mappings, we don't have to suffix stage name when we use direct domain name.
There are many reasons why {"message":"Forbidden"} can occur as listed here, every reason either points to a call of an invalid/non-existent api or missing/invalid keys. Since the direct domain name is working fine, it seems like missing stage name suffix is most probable cause.
I have some REST APIs my backend server listens for (I used node express).
I want to use my friendly url api.mywebsite.com to forward all routes to horribleuglybackendname.aws.com, e.g.
api.mywebsite.com/some/route -> horribleuglybackendname.aws.com/some/route
I want to use API gateway to simply forward any routes to my backend. If I create a HTTP API (not REST) this seems easy to do but if I create a REST API I cannot see how to configure it. Perhaps you can't? If you can't why not? What is the alternative?
Thanks
So it seems $default is for HTTP APIs only. The UI is different between HTTP and REST API configuration. If you want to do a catch-all route for REST APIs you need to use {proxy+}.
This is good (ctrl-f for catch-all and you should be set)
https://aws.amazon.com/blogs/aws/api-gateway-update-new-features-simplify-api-development/
Looking into using Istio to handle Authorization for an application built on a microservices architecture in Kubernetes.
One thing we're looking to accomplish is to decouple the authorization of a service by utilizing Istio Authorization.
Our API Gateway (Kong) will handle the verification/parsing of the JWT tokens and pass along any required attributes (usernames, groups, roles etc) as headers e.g. x-username: homer#somewhere.com (abstracts that from the services)
What we want to accomplish is along with verifying based on roles etc we also want to ensure that the x-username is also the owner of the resource e.g. if they are accessing:
/user/{userID}/resource
That would mean if userId matches the value of the x-username header we can continue serving the request, otherwise we'll send a 401 etc
Is there a way to configure this as part of Istio Authorization?
Thanks in advance for your time
What you're looking for is attribute based access control (abac). Look into authorization engines e.g. Axiomatics that plug straight into Kong and provides that level of access control (ownership check).
Kong authorization handler on GitHub
Technical webcast on the integration
You could also choose to call Axiomatics from Isitio using an adapter based on Istio's authorization template.
Policies in Axiomatics are written using either XACML or ALFA which are the 2 OASIS standards for ABAC / fine-grained authorization.
You could easily write a condition along the lines of:
rule checkOwner{
deny
condition not(owner==user.uid)
}
BTW you probably want to send back a 403 rather than 401. The latter refers to failed authentication.
My goal is to create a REST API Integration from Salesforce to SAP application.
SUCCESS Through Chrome APP
1. All I need to do is retrieve values from sap application through the REST API. When I tried to use the Chrome APP 'Advanced Rest Client' and have passed the appropriate URL and Content with POST method I was able to retrieve the values from local server database.
For EG : If I pass request 92126 then I was able to get response 'SAN DIEGO' which is correct.
Here is the link (https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US) for Advanced REST Client.
PROBLEM from Salesforce :
I had created a remotesite setting
When I created this REST class in SAlesforce and tried invoking the End Point then it's throwing this error.
System.HttpResponse[Status=Service Unavailable, StatusCode=503]
As the web api url which is provided to us is in local sql server i.e hosted in private, as we know in Salesforce for making callouts the URLs must be in public. But the URL is in private only for the security reasons not hosted in public. We should achieve it, any way is there to achieve it? What change should be done in Salesforce or server to communicate to each other, and allows to make the callout?
It is most likely that you endpoint does not allow access from outside some ip range which you indicated by saying it's not public. Salesforce is a SaaS application hosted outside the domain that your service is on. In order for Salesforce to access that endpoint resource you need to whitelist Salesforce IP ranges, which can be found here.
Whitelisting allows Salesforce to access the resource. The only caveat is that because Salesforce is multi-tenant it means that any instance of Salesforce on the range that you whitelist would have access to your endpoint. If this is not ok, you might want to add some sort of header or sign the request to the call to that identifies your Salesforce instance uniquely from any other instance to validate that the call originated from your Salesforce org.
(I am linking to the article instead of pasting the IP ranges here because these may change in the future).
I have created an API using AWS API Gateway. Now I want to log each of the request on each method of each resource. Also, I need the source IP address of the client accessing the route. How can I accomplish this without writing custom code in the API functions ?
The default CloudWatch logs for your API should include all headers, including the X-Forwarded-For header which will contain the source IP address. (See http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-stage-settings.html)
If you need custom logging you will need to implement this in your Lambda functions. You could take advantage of something like Apex or Serverless and write some automation to manage your Lambda functions and share duplicate code.