AWS API Gateway-Elastic Beanstalk-受限访问
[英]AWS API Gateway - Elastic Beanstalk - Restricted Access
问题描述
I have a NodeJS API on Amazon EB and an API on API Gateway. 
我在Amazon EB上有一个NodeJS API,在API Gateway上有一个API。 API Gateway is configure as a proxy to EB. API Gateway被配置为EB的代理。
I can call my API without problem, it's working but I don't know how to manage security. 我可以毫无问题地调用我的API,它可以正常工作,但是我不知道如何管理安全性。
Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary. 实际上,如果我使用API网关URL,则必须签署请求(没关系!),但是我可以使用EB URL,并且没有任何必要。
Before using API Gateway I was using JWT but now what shall I do on my Node app? 在使用API Gateway之前,我使用的是JWT,但是现在我应该在Node应用程序上做什么? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? API Gateway正在使用Authorization标头对请求进行签名,因此我的Node应用程序必须检查此签名吗? Or something else? 或者是其他东西?
1 个解决方案
解决方案1
2 已采纳 2017-01-02 19:20:20
The recommended approach to restricting back end access to only API Gateway is to use client side certificates. 将后端访问限制为仅API网关的建议方法是使用客户端证书。 See documentation here 在这里查看文档
Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation. 请注意,如果将客户端证书与ELB一起使用,则必须以tcp模式配置ELB,并在应用程序服务器上终止SSL连接,因为ELB不支持客户端证书验证。
An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. 另一种方法是将API网关配置为添加带有机密值的标头,然后在处理请求之前在应用程序服务器上验证该值。 This is generally considered less secure, since its easier for an attacker to obtain your secret value. 通常认为这不太安全,因为攻击者更容易获得您的秘密价值。 At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text. 至少,您希望在API网关和应用程序服务器之间使用SSL,以便不会以纯文本形式发送机密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.