小贝子编程

使用Elastic Beanstalk的Api网关连接(客户端SSL证书)



我正在尝试将Api Gateway与我在Elastic Beanstalk中的Api连接起来。我希望我的api只能由api网关访问,为此我在后端使用客户端SSL证书授权(如以下aws发布链接:http://docs.aws.amazon.com/es_es/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html)。所以我的架构是这样的:

API网关->弹性负载平衡器->EC2(弹性梁)

我的EC2机器有NGINX和Ruby。

连接工作方式如下:

API网关->(80端口)->弹性负载平衡器->(443端口)->NGINX->RUBY

我正在NGINX中进行客户端身份验证。当我使用浏览器访问Elastic Load Balancer时,它显示400 Bad Request-NGINX错误:没有发送所需的SSL证书(这是正确的,因为我没有发送证书)。但当我使用Api网关访问并发送客户端证书时,我会收到同样的错误(我不明白为什么)。

当我在NGINX中配置SSL连接时,我使用的是我签名的SSL证书(也许这是问题所在?)

我的问题的另一个可能原因是弹性负载均衡器中的端口配置(如图所示)。我有后端身份验证:已禁用。这是个问题吗?Pictura端口配置ELB

我的nginx配置是:

upstream my_app {
server unix:///var/run/puma/my_app.sock;
}
log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';
server {
listen       443 ssl;
listen       [::]:443 ssl;
server_name  localhost;
root         /usr/share/nginx/html;
ssl on;
ssl_certificate /etc/nginx/ssl/dev.crt;
ssl_certificate_key /etc/nginx/ssl/dev.key;
ssl_trusted_certificate /etc/nginx/ssl/api-gateway.pem;
ssl_client_certificate /etc/nginx/ssl/api-gateway.pem;
ssl_verify_client on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
if ($ssl_client_verify = FAILED) {
return 495;
}
if ($ssl_client_verify = NONE) {
return 402;
}
if ($ssl_client_verify != SUCCESS) {
return 403;
}
try_files $uri/index.html $uri @my_app;
location @my_app {
proxy_set_header  Host $host;
proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Host $server_name;
proxy_set_header  Client-IP $remote_addr;
proxy_pass        http://my_app;
proxy_set_header X-Client-Verify $ssl_client_verify;
}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header gonzalo1 $ssl_client_verify;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

}

Amazon API网关不支持集成端点的自签名证书。您是否尝试过使用亚马逊证书管理器或Let's Encrypt的证书?

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium