AWS API Gateway-Elastic Beanstalk-受限访问 [英] AWS API Gateway - Elastic Beanstalk - Restricted Access

问题描述

我在Amazon EB上有一个NodeJS API，在API Gateway上有一个API. 将API Gateway配置为EB的代理.

I have a NodeJS API on Amazon EB and an API on API Gateway. API Gateway is configure as a proxy to EB.

我可以毫无问题地调用我的API，它可以正常工作，但是我不知道如何管理安全性.

I can call my API without problem, it's working but I don't know how to manage security.

实际上，如果我使用API​​网关URL，则必须签署请求(没关系！)，但是我可以使用EB URL，并且没有任何必要.

Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary.

在使用API​​ Gateway之前，我使用的是JWT，但现在我该如何在Node应用程序上做什么? API网关使用Authorization标头对请求进行签名，因此我的Node应用程序必须检查此签名吗?还是其他?

Before using API Gateway I was using JWT but now what shall I do on my Node app? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? Or something else?

推荐答案

将后端访问限制为仅API网关的建议方法是使用客户端证书.请参见此处的文档

The recommended approach to restricting back end access to only API Gateway is to use client side certificates. See documentation here

请注意，如果将客户端证书与ELB一起使用，则必须以tcp模式配置ELB，并在应用程序服务器上终止SSL连接，因为ELB不支持客户端证书验证.

Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation.

另一种方法是将API网关配置为添加带有机密值的标头，然后在处理请求之前在应用程序服务器上验证该值.通常认为这不太安全，因为攻击者更容易获得您的秘密价值.至少，您希望在API网关和应用程序服务器之间使用SSL，以使秘密不会以纯文本形式发送.

An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. This is generally considered less secure, since its easier for an attacker to obtain your secret value. At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text.

这篇关于AWS API Gateway-Elastic Beanstalk-受限访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！