无法获得HTTP订阅确认请求 [英] Cannot get HTTP subscription confirmation request

问题描述

我编写了一个龙卷风服务作为Amazon SNS终端节点.

I write a tornado service as the Amazon SNS endpoint.

class TestHandler(tornado.web.RequestHandler):
    def get(self):
        logging.info('get')
        self.sns()
        self.write(self.request.body.decode('utf-8'))

    def post(self):
        logging.info('post')
        self.sns()
        self.write(self.request.body.decode('utf-8'))

    def sns(self):
        headers = self.request.headers
        logging.info('HEADER: {}'.format(headers))
        arn = headers.get('x-amz-sns-subscription-arn')
        obj = json.loads(self.request.body)

        if headers.get('x-amz-sns-message-type') == 'SubscriptionConfirmation':
            logging.info('REQUEST: {}'.format(self.request))
            subscribe_url = obj[u'SubscribeURL']
            logging.info('URL:{}'.format(subscribe_url))
            return '<Arn %r>' % arn

        elif headers.get('x-amz-sns-message-type') == 'UnsubscribeConfirmation':
            logging.info('Unsubscription')

        elif headers.get('x-amz-sns-message-type') == 'Notification':
            logging.info('Unsubscription')

        return '', 200

但是当我向SNS订阅端点时，我没有收到任何HTTP POST请求.没有日志被打印.因此，我尝试改为使用curl，并且日志显示正常.我更相信SNS没有发送请求，而不是我的端点没有收到请求.我不知道该如何进行.请帮忙.谢谢.

But when I subscribe the endpoint to SNS, I didn't get any HTTP POST request. No logs was printed. So I tried to do curl instead, and the logs shows it fine. I'm more convinced that SNS didn't send the request rather than my endpoint didn't receive it. I have no idea how to proceed. Please help. Thanks.

推荐答案

正确，外部流量可能会被阻止，但是我可以从本地计算机访问终结点(不是EC2).

Right, the outside traffic might get blocked, but I can hit the endpoint (not EC2) from my local machine. 

这没有意义.您必须先允许Internet的入站连接，然后SNS才能访问您的http(s)终结点. SNS没有实例的后门.

This misses the point. You have to allow inbound connectivity from the Internet before SNS can access your http(s) endpoint. SNS does not have a back door to your instances.

SNS通知的源IP地址范围已发布，因此您可以在安全组中允许它们...

The source IP address ranges for SNS notifications are published, so you can allow them in your security group...

https://forums.aws.amazon.com/ann.jspa? annID = 1649

但是，您需要知道列表可能会更改，因此最佳实践可能是使您的端点可以全局访问.

However, you need to be aware that the list is subject to change, so the best practice may be to make your endpoint globally-accessible.

使用提供的签名来验证消息，以及通过验证证书的URL是否与SNS合法关联以及使用以下方法提取证书，来验证消息中证书的公钥也很重要: HTTPS并验证该TLS请求期间提供的证书是否合法地属于Amazon.

It is also important to validate the messages using the signature provided, as well as to validate the public key of the certificate in the message by verifying that the URL for the certificate is legitimately associated with SNS, and by fetching the cert with HTTPS and validating the certificate provided during that TLS request as legitimately belonging to Amazon.

http://docs.aws.amazon. com/sns/latest/dg/SendMessageToHttp.verify.signature.html

这篇关于无法获得HTTP订阅确认请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！