All geek questions in one place

Connect Api Gateway with Elastic Beanstalk (SSL Certificate on the Client Side)

I am trying to connect Api Gateway with my api in Elastic Beanstalk. I want my api to be accessible only by Api Gateway, and for this I use client-side SSL certificate authorization (for example, this publication aws Link: http://docs.aws.amazon.com/es_es/apigateway/latest/ developerguide / getting-started-client-side-ssl-authentication.html ). So my architecture is this:

API GATEWAY-> ELASTIC LOAD BALANCER-> EC2 (ELASTIC BEANSTALK)

My EC2 machine has NGINX and Ruby.

Connections work as follows:

API GATEWAY β†’ (80 PORT) β†’ ELEMENT LOAD BALANCE β†’ (443 PORTS) β†’ NGINX β†’ RUBY

I am authorizing a client in NGINX. When I access the elastic load balancer using a browser, it shows a 400 Bad Request - NGINX error: the required SSL certificate was not sent (this is correct because I do not send the certificate). But when I contact Api Gateway and send the client certificate, I get the same error (I don’t understand why).

When I set up an SSL connection in NGINX, I use SSL certificates signed by me (maybe this is a problem?)

Another possible cause of my problem is the port configuration in the Elastic Load Balancer (pictured). I have backend authentication: disabled. This is problem? Pictura Port ELB Port Configuration

My nginx configuration:

upstream my_app { server unix:///var/run/puma/my_app.sock; } log_format healthd '$msec"$uri"' '$status"$request_time"$upstream_response_time"' '$http_x_forwarded_for'; server { listen 443 ssl; listen [::]:443 ssl; server_name localhost; root /usr/share/nginx/html; ssl on; ssl_certificate /etc/nginx/ssl/dev.crt; ssl_certificate_key /etc/nginx/ssl/dev.key; ssl_trusted_certificate /etc/nginx/ssl/api-gateway.pem; ssl_client_certificate /etc/nginx/ssl/api-gateway.pem; ssl_verify_client on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; if ($ssl_client_verify = FAILED) { return 495; } if ($ssl_client_verify = NONE) { return 402; } if ($ssl_client_verify != SUCCESS) { return 403; } try_files $uri/index.html $uri @my_app; location @my_app { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header Client-IP $remote_addr; proxy_pass http://my_app; proxy_set_header X-Client-Verify $ssl_client_verify; } # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_pass http://my_app; # match the name of upstream directive which is defined above proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header gonzalo1 $ssl_client_verify; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { }

}

+6
source share
1 answer

Amazon API Gateway does not support self-signed certificates for integration endpoints. Have you tried using the certificate from Amazon Certificate Manager or Let encrypt ?

+2
source

Source: https://habr.com/ru/post/1014623/

More articles: