Integrating AWS API Gateway with Cloud Front without exposing origin

1
votes

I'm working on a project with serverless architecture.

I've found that though AWS said API Gateway can protect your resources from DDoS attack.

But if there is a bad user which keep sending spam to your service,

API gateway can't provide an appropriate way to handle this kind of issues.

So I start to figure out what I can do:

  • AWS WAF is an obviously solution.

I've found this post on stackoverflow: API gateway with aws waf

Then in order to setup WAF,

I put a Cloud Front distribution in front of the API Gateway.

I realized this might be a workaround solution, but is it?

Here's the issue I found:

  1. I have a cloud front distribution, its domain name is cdn.net

  2. I set the origin path to my api gateway: https://sampleagigw.amazon.com, and set path to its stage dev.

  3. When I call GET http://cdn.net/posts, it will return a result which I expect.

  4. Then if you put the http://cdn.net/posts on browser, it surprised you more than your expect, it also expose the API gateway's url on the url bar of browser: https://sampleagigw.amazon.com/dev/posts

It means all of the work with WAF and Cloud front is meaningless.

Is there anything I misunderstood?

1
amazon-web-servicesamazon-cloudfrontaws-api-gateway

1 Answers

4
votes

Check the "Viewer Protocol Policy" on your additional CloudFront distribution (cdn.net) and ensure that it is set to either "Redirect HTTP to HTTPS" or "HTTPS Only". Alterntively, you can edit your origin and set "Origin Protocol Policy" to "HTTPS Only".

If you have "Viewer Protocol Policy" set to "HTTP and HTTPS" and "Origin Protocol Policy" set to "Match Viewer", then I can see how you would get this result. You enter http://cdn.net/posts on browser, then the cdn.net distribution attempts to connect to http://sampleagigw.amazon.com (no https/tls/ssl). This goes to the CloudFront distribution created by API Gateway which is set to "Redirect HTTP to HTTPS". Since it got an HTTP request, it returns a 302 redirect to http://sampleagigw.amazon.com. This is returned by the cdn.net distribution to the browser. The browser then follows the 302 redirect, leaving the http://sampleagigw.amazon.com URL in the browser's URL bar.