如何CNAME到Amazon API Gateway端点 [英] How to CNAME to Amazon API Gateway Endpoint

问题描述

我正在尝试在Cloudflare上设置一个CNAME以指向Amazon API Gateway终端节点。 CNAME是在引用我的一个子域时使用的。网关依次指向DigitalOcean上服务器的IP。我对Amazon Web服务非常陌生，如果有人可以给我概述DNS，Amazon Gateway和Cloudfront（我认为要将网关暴露给Amazon外部的DNS服务器所必需）的正确配置，将不胜感激。任何帮助将不胜感激。

I'm trying to set a CNAME on Cloudflare to point to an Amazon API Gateway endpoint. The CNAME is for use when referring to one of my subdomains. The gateway in turn points to the IP of a server on DigitalOcean. I am very new to Amazon web services and would appreciate if someone could give me an overview of the correct configuration for the DNS, Amazon Gateway and Cloudfront (which I think is needed to expose the gateway to DNS servers external to Amazon). Any help would be much appreciated.

更新

我一直在现在暂时还没有取得太大进展。有没有人知道这是否可行，或者还有其他方法？

I've been going at this for a while now and not making much progress. Does anyone have an idea if this is a viable approach or how else it might be done?

UPDATE2

我以为我需要将CNAME记录添加到cloudFlare并最终以重定向循环结束，观察者：

I thought I needed to add the CNAME record to cloudFlare and just ended up in a redirect loop, observed by:

curl -L -i -v https://sub.mydomain.com/

推荐答案

简单地将Cloudflare指向您的API网关域并命名为天，有几个原因使其失效：

There are several reasons why it doens't work to simply point Cloudflare at your API Gateway domain and call it a day:

• API网关使用共享托管，因此它使用域名来确定向哪个API发送请求。它无法知道 api.yourdomain.com 属于您的API。


• API网关要求您使用 https ，但它使用的证书仅对默认域有效。

• API Gateway uses shared hosting so it uses the domain name to figure out what API to send requests to. It has no way of knowing that api.yourdomain.com belongs to your API.
• API Gateway requires that you use https, but the certificate that it uses is only valid for the default domain.

有是一个解决方案。以下是我最近进行此设置时遵循的步骤：

There is a solution, however. Here are the steps that I followed when I recently set this up:

1. 从Cloudflare仪表板的加密选项卡生成原始证书。 / li>
   
2. 即使您的API位于其他区域，也将证书导入到 us-east-1 区域的AWS Certificate Manager。如果系统提示您输入证书链，则可以从此处。


3. 在API网关控制台中添加自定义域，然后选择您要使用的证书刚刚添加。请查看AWS 支持文章，以获取有关如何执行此操作的更多信息。 / li>
   
4. 自定义域通常需要大约45分钟才能完成初始化。完成后，它将为您提供一个新的Cloudfront URL。继续，确保您的API仍然可以通过该新URL进行操作。


5. 转到Cloudflare DNS标签并设置一个指向您刚创建的Cloudfront URL的CNAME记录。


6. 切换到加密选项卡，并将SSL模式设置为完全（严格）。如果您跳过此步骤，则会出现重定向循环。

1. Generate an origin certificate from the crypto tab of the Cloudflare dashboard.
2. Import the certificate to AWS Certificate manager in the us-east-1 region, even if your API is located in a different region. If you are prompted for the certificate chain you can copy it from here.
3. Add your custom domain in the API Gateway console and select the certificate you just added. Check the AWS support article for more information on how to do this.
4. It usually takes about 45 minutes for the custom domain to finish initializing. Once it's done it will give you a new Cloudfront URL. Go ahead and make sure your API still works through this new URL.
5. Go to the Cloudflare DNS tab and setup a CNAME record pointing to Cloudfront URL you just created.
6. Switch to the crypto tab and set your SSL mode to "Full (Strict)". If you skip this step you'll get a redirect loop.

就是这样。享受从您的自定义域提供的新的高可用性API！

That's it. Enjoy your new highly available API served from your custom domain!

这篇关于如何CNAME到Amazon API Gateway端点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！