如何配置后端服务器以使用由AWS Gateway API生成的客户端SSL证书？ [英] How to configure backend server to use client side SSL certificates generated by aws gateway api?

问题描述

我已通过elasticbeanstalk将node js应用程序部署到单个实例类型的ec2实例。之后，我通过亚马逊api网关部署了我的应用程序。我的EC2实例是公共的。我想以仅接受来自亚马逊API网关的请求的方式对其进行限制。

I have deployed node js app to ec2 instance of single instance type through elasticbeanstalk. After this I deployed my app through amazon api gateway. My EC2 instance is public. I want to restrict it in such a way that it only accepts request from amazon api gateway.

为此，我正在关注 https://docs.aws.amazon.com/apigateway/latest /developerguide/getting-started-client-side-ssl-authentication.html

我通过api网关生成了客户端证书，但我不知道如何在EC2实例上使用或安装此证书，以便EC2实例仅接受来自AWS API网关的请求。我在我的应用程序中使用Node js服务器。

I generated a client side certificate through api gateway but I don't know how to use or install this certificate on EC2 instance so that EC2 instance accepts requests only from aws api gateway. I am using Node js server in my application.

请帮助。

推荐答案

API网关客户端证书功能不使用ACM证书。

The API Gateway client certificate feature does not use ACM certificates.

对于客户端证书，API Gateway会生成自己的自签名证书并进行PEM编码客户端证书的公共密钥可供您用来配置Web服务器。 API网关保留证书的私钥，并在向您的Web服务器发出请求时使用它。按照设计，无法从API网关导出私钥，因此可以确定调用者是API网关，因为没有人可以获取私钥。

For client certificates, API Gateway generates its own, self-signed certificates and makes the PEM-encoded public key of the client certificate available to you for configuring you web server. API Gateway keeps the certificate's private key and uses it when making requests to your web server. By design, there is no way to export the private key from API Gateway so you can be certain that the caller is API Gateway as no one else can get the private key.

要获取客户端证书的PEM编码的公钥，请调用get-client-certificate 此处记录

To get the PEM-encoded public key of the client certificate, call get-client-certificate as documented here

请注意，您还必须为Web服务器配置一个由API网关信任的证书颁发机构签署的服务器证书。请勿将其与用于自定义域名的证书混淆。这些用于TLS终止对API的传入请求。我在此用例中讨论的服务器证书仅在您的后端Web服务器上使用，因此API Gateway可以通过TLS对其进行调用。

Note that you must also configure you web server with a server certificate signed by a certificate authority which API Gateway trusts. Don't confuse this with the certificate used for a custom domain name. Those are used for TLS termination of incoming requests to your API. The server certificate I'm talking about for this use case is just used on your backend web server so API Gateway can call it via TLS.

建议您获取在API Gateway中启用客户端证书之前，请使用服务器证书进行部署，配置，配置和测试。一次，您可以使用API​​网关使用服务器证书，然后启用客户端证书并修改Web服务器以要求它。

It is recommended that you obtain, deploy, configure, and test with your server certificate before you enable the client certificate in API Gateway. Once, you have your server certificate working with API Gateway, then enable the client side certificate and modify your web server to require it.

本文介绍了如何使用Node.js配置服务器端和客户端证书。

This article describes how to configure both server side and client side certificates with Node.js.

这篇关于如何配置后端服务器以使用由AWS Gateway API生成的客户端SSL证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！