客户端SSL无法与AWS API Gateway一起使用 [英] Client-side SSL not working with AWS API Gateway
问题描述
我在API网关上生成了一个客户端SSL证书,并将其添加到我的nginx配置中,如下所示:
I generated a client-side SSL Certificate on API Gateway and added it to my nginx configuration as below:
listen *:443;
ssl on;
server_name api.xxxx.com;
ssl_certificate /etc/letsencrypt/live/api.xxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.xxxx.com/privkey.pem;
ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl/awsapigateway.crt;
location /home/ubuntu/api {
# if ($ssl_client_verify != SUCCESS) { return 403; }
# proxy_pass http://my.http.public.endpoint.com;
# proxy_set_header X-Client-Verify $ssl_client_verify;
}
通过AWS API网关测试控制台进行测试后,客户端证书不起作用.它最终出现错误400-没有发送必需的SSL证书. API网关应该随每个请求将其客户端证书发送到我的服务器,以便我可以验证这些请求确实来自API网关.
The client certificate doesn't work after testing via the AWS API gateway test console. It ends up with Error 400 - No required SSL certificate was sent. API Gateway should be sending its client cert to my server with each request, so that I can validate that requests are genuinely coming from API Gateway.
我认为它不起作用的原因是我将来自AWS API网关控制台的PEM编码的公钥直接添加到awsapigateway.crt.正确吗?
I believe the reason it is not working is I am adding the PEM-encoded public key from the AWS API gateway console directly to awsapigateway.crt. Is that correct?
此外,nginx是否支持自签名客户端SSL证书,这是AWS为我们提供的服务?
Additionally, does nginx support self-signed client SSL certificates, which is what AWS is providing us?
推荐答案
此处是Api Gateway团队.
Api Gateway team here.
看起来nginx配置正确.对于我们的简单测试案例,我们使用节点服务器,只需将来自控制台的PEM证书直接写入设置为ca的crt文件(在本例中为ssl_client_certificate).
It looks like the nginx configuration is correct. And for our simple test case we use a node server and simply write the PEM certificate from the console directly to the crt file that is set as the ca, or in this case the ssl_client_certificate.
如果出于某种原因,控制台中的测试功能有问题,我也会使用实际部署的API进行测试.确保使用阶段"设置来指定证书.
I'd also test using the actual deployed API if for some reason the test function in the console has an issue. Make sure to use the Stage settings to specify the cert.
这篇关于客户端SSL无法与AWS API Gateway一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
