Cloudfront发行版不对Gateway API强制执行TLS设置 [英] Cloudfront distribution does not enforce TLS settings for Gateway API
问题描述
按照> AWS API网关应阻止使用TLS v1 ,我使用以下配置创建了 Cloudfront
发行版
Follow up to AWS API Gateway should prevent use of TLS v1, I created a Cloudfront
distribution with below config
Origin Domain Name as my Gate API endpoint https://abcdfefg.execute-api.us-east-1.amazonaws.com
Viewer Protocol Policy as HTTPS Only
Origin SSL Protocols as TLSv1.2, TLSv1.1 (Unchecked TLSv1)
other defaults
分发分发后,当我使用以下命令访问Gateway API时自定义域,我仍然能够在TLSv1上进行呼叫。
After the distribution was deployed, when I access my Gateway API with custom domain, I still was able to make calls on TLSv1.
如何将自定义域映射到这个新的Cloudfront发行版以实施TLS设置?
How do I map my custom domain to this new cloudfront distribution to enforce TLS settings?
更新1:
在我的使用自定义域调用Gateway API的Java测试程序中,我在运行时参数下方启用了
Update-1: In my java test program that calls the Gateway API using custom domain, I enabled below runtime arguments
-Dhttps.protocols=TLSv1 -Djavax.net.debug=all
javax.net.debug的输出将确认TLSv1交换。
Output from javax.net.debug confirms TLSv1 Exchange.
*** ClientHello, TLSv1
.... many lines output
*** ServerHello, TLSv1
..
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
也使用curl确认了TLS v1的使用。
卷曲输出包括:
Confirmed the TLS v1 usage using curl too. Curl output includes:
* SSL connection using TLSv1.0 / ECDHE-RSA-AES128-SHA
推荐答案
为了使具有额外云前端分布的Gateway API正常工作,我们需要
In order for Gateway API with additional cloud front distribution to work, we need to
- 从AWS Console的API Gateway下转到自定义域名并删除映射的条目。
- 在云前端设置中添加CNAME条目。在AWS控制台中,按照添加备用域名
- From AWS Console, under API Gateway go to Custom Domain Name and delete the mapped entry.
- Add a CNAME entry in cloud front settings. From AWS Console, follow the instructions under Adding an Alternate Domain Name
下的说明进行操作,完成上述更改后,在https上访问自定义域名将强制执行 Cloudfront 分发中定义的TLS安全设置。
After the above changes are completed, accessing the custom domain name on https will enforce the TLS security settings as defined in Cloudfront distribution.
这篇关于Cloudfront发行版不对Gateway API强制执行TLS设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!