I seem to be forced in to using HTTPS with AWS API Gateway. I am only hosting non-sensitive GET requests that do not need to be https.
How do I setup HTTP GET Method?
I am using a custom domain name and pointing to DynamoDB.
According to the FAQ, this is not possible:
[A]ll of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints.
https://aws.amazon.com/api-gateway/faqs/#general
Related
I create an API where I configure the endpoint: https://ssl.croinform.ru:450/api.test
And there is a problem with https, I am not getting a response to the request. It seems the WSO2 API Manager API gateway is not proxying requests to the endpoint.
When I make requests directly, I pre-configure the infrastructure: install the openssl counterpart, install the cacer.p7b and ssl.croinform.cer certificates. After that, I successfully receive responses from the ssl.croinform.ru:450/api.test service.
Can you tell me what I need to do to make this work in WSO2 API Manager?
We are evaluating reverse proxies which support API Gateway feature. We tested the API Gateway feature in NGINX with a custom authentication Application. The request flow in NGINX is that when a request reaches NGINX, it forwards the request for authentication to a custom authentication application. If the auth application returns HTTP 200, NGINX forwards the request to downstream servers.
HaProxy:
For HAP proxy I am unable to figure out how to integrate the custom authentication application in HAProxy configurations.
Kindly guide me to the correct configuration/resource for me to proceed.
Authenticating Requests Through Traefik
I am looking at using traefik as a proxy for a set a microservices.
However I realised that traefik does not support a authentication mechanism such as the one provided by Kong.
I would like to register consumers with traefik and allow access based on authentication.
Is there a recommend approach to doing this?
Ideally I would like to forward all incoming requests to a service that authenticates the incoming request. However I can not find any way to do this with traefik by using a custom middleware.
In short, is there a way to add such a middleware to traefik and have it execute a remote check before allowing a request to pass though?
(The basic auth built in to traefik is very limited.)
I don't believe Traefik supports this currently. Are you using a service discovery layer behind Traefik like Consul/Kubernetes Ingress? If so, these services may support ACL access to services.
I have an application installed in tomcat which currently I am running on http.
Also I have used AWS API gateway to expose my application .
I want to implement mutual auth between aws api gateway and my api which we have created .
Is there any document which I can refer.
Also is it possible to implement mutual authentication with AWS API gateway and my api.
This is definitely possible by installing an SSL certificate in Tomcat and using the Client Certificate feature of API Gateway. See http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
The API Gateway server must use a certificate the AWS ACM issues.
The Gateway itself uses another AWS-generated certificate to authenticate with your backend.
Background:
I'm trying to use WSO2 ESB within a corporate setting to provide authenticated access to underlying REST API backend providers located either within the enterprise, or on the internet.
My goal is to selectively grant access, e.g. to REST API provider P1 only to REST client C1 and to to REST API provider P2 only to REST client C2.
Using WSO2 ESB with the "<api>" as described into http://wso2.com/library/articles/2012/10/implementing-restful-services-wso2-esb/ seems to impose to redefine every resource, which can be very large and error prone for complex APIs (e.g. vmware vcloud director REST API https://www.vmware.com/support/vcd/doc/rest-api-doc-1.5-html/landing-user_operations.html)
Using the WSO2 ESB "<proxy>", as described into
https://docs.wso2.org/display/ESB481/Using+REST+with+a+Proxy+Service#UsingRESTwithaProxyService-RESTClientandRESTService ("REST Client and REST Service") imposes that the URIs exposed to HTTP clients will be modified modified w.r.t. to the original backed uri. Typical proxy URIs will be of the following form with the services prefix and a specific port http://<wso2_host>:8280/services/CustomerServiceProxy/customers/123
While having modified exposed URIs is fine when the client can be controlled (typically an in house custom REST API). It is problematic when the REST API is an industry standard and the client is an SDK, or an off-the-shelf application which is outside of the control of WSO2 users (e.g. AWS S3 API, or vmware vcloud director REST API)
In addition, some custom clients/SDKs may verify server-side SSL certificates against a public key embedded into the SDK/client.
The usual solution to preserve the HTTP REST API as-is and add some authentication on top of it is to expose the API through an HTTP proxy (possibly authenticating clients through HTTP proxy authentication), i.e. client send a CONNECT request prior to sending their original request. This preserves the full URIs and also the SSL certificates.
Question:
Is there a way to have WSO2 ESB play the role of an HTTP(S) proxy for mediating incoming REST API requests, preserving original URIs and server SSL certificates ?
I'm thinking about a new "<http-proxy>" syntax, I haven't yet spotted. I.e. it would listen to http://<wso2_host>:3128/ and respond to CONNECT requests. The mediation would then have the ability to accept or not the CONNECT depending on the CONNECT request inputs (proxy authentication, requested host), and other http transport headers). Once the CONNECT request is granted, it might even be possible to act on subsequent individual proxified requests
Best specs describing the CONNECT behavior seem https://datatracker.ietf.org/doc/html/draft-luotonen-web-proxy-tunneling-01 (1999 draft that seems adopted) and https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-p2-semantics-22#page-29 proposed standard.
For HTTPS URI, there might be limited ability within the WSO2 mediation: the HTTP request is SSL encrypted and only the domain can be known if SNI (Server Name Indication) is specified in the request. At least this would enable to grant/deny some host names to a set of clients depending on proxy authentication.
You may wish to try the <property name="preserveProcessedHeaders" value="true"/> in your <inSequence>. This property will pass all security headers through the proxy. I'm not sure about server certificates.
Here is an example of that property in use:
https://docs.wso2.org/display/ESB481/Sample+153%3A+Routing+Messages+that+Arrive+to+a+Proxy+Service+without+Processing+Security+Headers
I hope tlevel for API usehat helps. You may also want to look into the wso2 API manager, which lets you selectively grant access to APIs.