1. 技术文章
  2. Integrating AWS API Gateway with Cloud Front without exposing origin

Integrating AWS API Gateway with Cloud Front without exposing origin

╄→гoц情女王★ 提交于 2019-12-30 12:50:08

问题


I'm working on a project with serverless architecture.

I've found that though AWS said API Gateway can protect your resources from DDoS attack.

But if there is a bad user which keep sending spam to your service,

API gateway can't provide an appropriate way to handle this kind of issues.

So I start to figure out what I can do:

  • AWS WAF is an obviously solution.

I've found this post on stackoverflow: API gateway with aws waf

Then in order to setup WAF,

I put a Cloud Front distribution in front of the API Gateway.

I realized this might be a workaround solution, but is it?

Here's the issue I found:

  1. I have a cloud front distribution, its domain name is cdn.net

  2. I set the origin path to my api gateway: https://sampleagigw.amazon.com, and set path to its stage dev.

  3. When I call GET http://cdn.net/posts, it will return a result which I expect.

  4. Then if you put the http://cdn.net/posts on browser, it surprised you more than your expect, it also expose the API gateway's url on the url bar of browser: https://sampleagigw.amazon.com/dev/posts

It means all of the work with WAF and Cloud front is meaningless.

Is there anything I misunderstood?


回答1:


Check the "Viewer Protocol Policy" on your additional CloudFront distribution (cdn.net) and ensure that it is set to either "Redirect HTTP to HTTPS" or "HTTPS Only". Alterntively, you can edit your origin and set "Origin Protocol Policy" to "HTTPS Only".

If you have "Viewer Protocol Policy" set to "HTTP and HTTPS" and "Origin Protocol Policy" set to "Match Viewer", then I can see how you would get this result. You enter http://cdn.net/posts on browser, then the cdn.net distribution attempts to connect to http://sampleagigw.amazon.com (no https/tls/ssl). This goes to the CloudFront distribution created by API Gateway which is set to "Redirect HTTP to HTTPS". Since it got an HTTP request, it returns a 302 redirect to http://sampleagigw.amazon.com. This is returned by the cdn.net distribution to the browser. The browser then follows the 302 redirect, leaving the http://sampleagigw.amazon.com URL in the browser's URL bar.



来源:https://stackoverflow.com/questions/38050191/integrating-aws-api-gateway-with-cloud-front-without-exposing-origin

标签
amazon-web-services
amazon-cloudfront
aws-api-gateway
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!