将AWS API Gateway与Cloud Front集成而不暴露来源 [英] Integrating AWS API Gateway with Cloud Front without exposing origin

问题描述

我正在开发一个无服务器架构的项目。

I'm working on a project with serverless architecture.

我发现，尽管AWS表示API网关可以保护您的资源免受DDoS攻击。

I've found that though AWS said API Gateway can protect your resources from DDoS attack.

但是，如果有不良用户不断向您的服务发送垃圾邮件，

But if there is a bad user which keep sending spam to your service,

API网关将无法提供适当的服务解决这种问题的方法。

API gateway can't provide an appropriate way to handle this kind of issues.

所以我开始弄清楚我能做什么：

So I start to figure out what I can do:

• AWS WAF是一个明显的解决方案。

我在stackoverflow上发现了这篇文章：带有aws waf的API网关

I've found this post on stackoverflow: API gateway with aws waf

然后为了设置WAF，

我在API网关的前面放置了Cloud Front发行版。

I put a Cloud Front distribution in front of the API Gateway.

I意识到这可能是解决方法，对吗？

I realized this might be a workaround solution, but is it?

这是我发现的问题：

1. 我有一个云端存储，其域名为 cdn.net

我将源路径设置为我的api网关： https://sampleagigw.amazon.com ，并设置其阶段 dev 的路径。

I set the origin path to my api gateway: https://sampleagigw.amazon.com, and set path to its stage dev.

当我调用GET <$ c $时c> http://cdn.net/posts ，它将返回我期望的结果。

When I call GET http://cdn.net/posts, it will return a result which I expect.

然后，如果将 http://cdn.net/posts 放在浏览器上，则会感到惊讶比预期的更多，它还会在浏览器的网址栏中显示API网关的网址： https://sampleagigw.amazon.com/dev/posts

Then if you put the http://cdn.net/posts on browser, it surprised you more than your expect, it also expose the API gateway's url on the url bar of browser: https://sampleagigw.amazon.com/dev/posts

这意味着使用WAF和Cloud Front进行的所有工作都是毫无意义的。

It means all of the work with WAF and Cloud front is meaningless.

是否有我误解的东西？

推荐答案

在其他CloudFront发行版（cdn.net）上检查查看器协议策略并确保将其设置为将HTTP重定向到HTTPS或仅HTTPS。或者，您可以编辑源，并将原始协议策略设置为仅HTTPS。

Check the "Viewer Protocol Policy" on your additional CloudFront distribution (cdn.net) and ensure that it is set to either "Redirect HTTP to HTTPS" or "HTTPS Only". Alterntively, you can edit your origin and set "Origin Protocol Policy" to "HTTPS Only".

如果将查看器协议策略设置为 HTTP和HTTPS并将原始协议策略设置为匹配查看器，那么我可以看到您将如何获得此结果。您在浏览器上输入 http://cdn.net/posts ，然后cdn.net分发尝试连接到 http://sampleagigw.amazon .com （无https / tls / ssl）。这将转到由API Gateway创建的CloudFront发行版，该发行版设置为将HTTP重定向到HTTPS。由于收到HTTP请求，因此它返回302重定向到 http://sampleagigw.amazon.com 。这由cdn.net分发返回到浏览器。然后，浏览器遵循302重定向，将 http://sampleagigw.amazon.com URL保留在浏览器的网址栏中。

If you have "Viewer Protocol Policy" set to "HTTP and HTTPS" and "Origin Protocol Policy" set to "Match Viewer", then I can see how you would get this result. You enter http://cdn.net/posts on browser, then the cdn.net distribution attempts to connect to http://sampleagigw.amazon.com (no https/tls/ssl). This goes to the CloudFront distribution created by API Gateway which is set to "Redirect HTTP to HTTPS". Since it got an HTTP request, it returns a 302 redirect to http://sampleagigw.amazon.com. This is returned by the cdn.net distribution to the browser. The browser then follows the 302 redirect, leaving the http://sampleagigw.amazon.com URL in the browser's URL bar.

这篇关于将AWS API Gateway与Cloud Front集成而不暴露来源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！