AWS API Gateway 仅限来自 S3 静态网页的受限访问
[英]AWS API Gateway restricted access from S3 static web page only
问题描述
I have a Node.js express server deployed to AWS EBS, the client side, written in React is deployed to S3 bucket as a static web page.
我有一个 Node.js express 服务器部署到 AWS EBS,客户端,用 React 编写,作为静态网页部署到 S3 存储桶。
I'm working on some sort of sign up system to a specific service, and I don't want to request credentials from the user, so I guess csrf \\ jwt is not going to work.我正在开发某种特定服务的注册系统,我不想从用户那里请求凭据,所以我猜 csrf \\ jwt 是行不通的。
Is there anyway to block all http requests from origins other than the client?无论如何要阻止来自客户端以外的所有 http 请求? right now, there is a chance someone will just use Postman and make requests to my server, for example creating user with just an email.现在,有人可能会使用 Postman 并向我的服务器发出请求,例如仅使用电子邮件创建用户。
I tried using private API Gateway, but I couldn't find a way to let the client make requests successfully.我尝试使用私有 API 网关,但找不到让客户端成功发出请求的方法。 I thought about encrypting the http requests payload, but I didn't find anyway to store a private key where it is not visible for anyone through the browser...我想过加密 http 请求有效负载,但无论如何我都没有找到将私钥存储在任何人通过浏览器都看不到的地方...
2 个解决方案
解决方案1
1 2020-02-02 14:46:54
You cannot block all the HTTP requests but surely can reject by adding a middleware你不能阻止所有的HTTP请求,但肯定可以通过添加middleware来拒绝
app.use((req, res, next) => {
if(req.protocol === 'http' && req.hostname!== <client domain>){
return res.sendStatus(403);
} next();
})
解决方案2
1 已采纳 2020-02-02 14:59:45
The origin is just an HTTP header that someone could set, ie "spoof", in their Postman requests.来源只是某人可以在他们的 Postman 请求中设置的 HTTP 标头,即“欺骗”。 You can check the origin to block random scanner bots, but it isn't going to block anyone that is determined.您可以检查来源以阻止随机扫描程序机器人,但它不会阻止任何确定的人。 So please don't confuse this as actual security.所以请不要将其混淆为实际的安全性。 You could do this with AWS Web Application Firewall attached to your EB load balancer, or just adding a check in your express middleware as in the other answer.您可以使用附加到您的 EB 负载均衡器的 AWS Web 应用程序防火墙来执行此操作,或者像其他答案一样在您的快速中间件中添加检查。
Regarding private API Gateway, that would never work in this scenario, that is only for resources inside a VPC network, and your React app is running in people's web browsers on the public Internet.关于私有 API 网关,这在这种情况下永远行不通,这仅适用于 VPC 网络内的资源,并且您的 React 应用程序正在公共互联网上的人们的 Web 浏览器中运行。
Regarding someone creating a user account "with just an email" that is on you to handle, you should be completely validating the request on the server side, with the knowledge that the request may have come from someone using a tool like Postman since there is no way to totally prevent that in your scenario.关于创建用户帐户的人“仅使用电子邮件”由您处理,您应该完全验证服务器端的请求,并且知道请求可能来自使用像 Postman 这样的工具的人,因为有在你的场景中没有办法完全阻止这种情况。
If you want to use API Gateway for this you could try implementing request validation there.如果您想为此使用 API Gateway,您可以尝试在那里实现请求验证。 You could also attach a Web Application Firewall to the API Gateway.您还可以将 Web 应用程序防火墙附加到 API 网关。 I believe you could also do the origin header check as part of an API Gateway request validator.我相信您也可以将源头检查作为 API 网关请求验证器的一部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.