aws api gateway client-side ssl certificate verification with nginx

0
votes

Similar to this other question here I'm attempting to verify SSL Client Certificates with nginx that have been sent via AWS API Gateway.

I noticed that in the documentation, AWS API Gateway only sends the client certificate along with HTTP requests. Does this mean that HTTPS should not be configured?

Contrary to the link to the question I posted above, the domain that nginx is hosted on does not have https certificates setup.

Any help, or a link to a working configuration using ssl_verify_client without ssl configured for the domain would be greatly appreciated.

Here is the nginx configuration I'm working with currently:

daemon off;

events {
  worker_connections  4096;
}

http {
  server {
    listen 2345 default_server;

    ssl_trusted_certificate /certs/api-gateway.crt;
    ssl_client_certificate /certs/api-gateway.crt;
    ssl_verify_client on;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location /ping {
      proxy_pass http://my.http.public.endpoint.com;
    }

    location / {
      if ($ssl_client_verify != SUCCESS) { return 403; }
      proxy_pass http://my.http.public.endpoint.com;
      proxy_set_header X-Client-Verify $ssl_client_verify;
    }
  }
}
1
sslamazon-web-servicesnginxaws-api-gateway

1 Answers

3
votes

You're misinterpreting the docs, though the reason is easily understandable.

API Gateway will use the certificate for all calls to HTTP integrations in your API.

The phrase to parse is "HTTP integrations" -- as opposed to Lambda or AWS Service proxy -- not "HTTP" as in "HTTP without SSL". They're using "HTTP" in a generic sense to describe a type, not the specific details of the transport.

SSL client certificates do not work without HTTPS, and won't work without an SSL certificate configured on the server.