I am trying to connect Api Gateway with my api in Elastic Beanstalk. I want my api to be accessible only by Api Gateway, and for this I use client-side SSL certificate authorization (for example, this publication aws Link: http://docs.aws.amazon.com/es_es/apigateway/latest/ developerguide / getting-started-client-side-ssl-authentication.html ). So my architecture is this:
API GATEWAY-> ELASTIC LOAD BALANCER-> EC2 (ELASTIC BEANSTALK)
My EC2 machine has NGINX and Ruby.
Connections work as follows:
API GATEWAY β (80 PORT) β ELEMENT LOAD BALANCE β (443 PORTS) β NGINX β RUBY
I am authorizing a client in NGINX. When I access the elastic load balancer using a browser, it shows a 400 Bad Request - NGINX error: the required SSL certificate was not sent (this is correct because I do not send the certificate). But when I contact Api Gateway and send the client certificate, I get the same error (I donβt understand why).
When I set up an SSL connection in NGINX, I use SSL certificates signed by me (maybe this is a problem?)
Another possible cause of my problem is the port configuration in the Elastic Load Balancer (pictured). I have backend authentication: disabled. This is problem? Pictura Port ELB Port Configuration
My nginx configuration:
upstream my_app { server unix:///var/run/puma/my_app.sock; } log_format healthd '$msec"$uri"' '$status"$request_time"$upstream_response_time"' '$http_x_forwarded_for'; server { listen 443 ssl; listen [::]:443 ssl; server_name localhost; root /usr/share/nginx/html; ssl on; ssl_certificate /etc/nginx/ssl/dev.crt; ssl_certificate_key /etc/nginx/ssl/dev.key; ssl_trusted_certificate /etc/nginx/ssl/api-gateway.pem; ssl_client_certificate /etc/nginx/ssl/api-gateway.pem; ssl_verify_client on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; if ($ssl_client_verify = FAILED) { return 495; } if ($ssl_client_verify = NONE) { return 402; } if ($ssl_client_verify != SUCCESS) { return 403; } try_files $uri/index.html $uri @my_app; location @my_app { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header Client-IP $remote_addr; proxy_pass http://my_app; proxy_set_header X-Client-Verify $ssl_client_verify; }
}
source share