EC2 (Ubuntu with Nginx) Configuration for AWS Api Gateway Calls With Client Certificate

1
votes

/etc/nginx/sites-enabled/default

server {
    listen 80 default_server;
    root /var/www/example;
    index index.php;
    server_name localhost;

    location / {
        try_files $uri/ /index.php
    }
    ...
}

This works just fine. I do not have SSL installed on that instance. I want to prevent access to my api (spread out to multiple EC2 instances) except for the calls coming from AWS API-Gateway. I created a client certificate under the API Gateway console (.pem) and I added the following to the nginx configuration:

server {
    listen 443;
    ssl on;
    ssl_client_certificate /etc/nginx/ssl/cert.pem;
    ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
    ssl_verify_client on;

    root /var/www/example
    index index.php;
    server_name localhost;

    location / {
        try_files $uri /index.php
    }

    ...
}

Error log says ' no ssl_certificate is defined for the "ssl" directive in /etc/nginx/sites-enabled/default:24 '. Ok, fair enough. I tried a few other tricks from nginx docs but no luck. What about by-passing the certification and add if-then to nginx config to accept traffic only from API Gateway? How can it be done? What's the best way to do this without requiring SSL on the receving end, in your opinion?

1
amazon-web-servicessslnginxamazon-ec2aws-api-gateway

1 Answers

-1
votes

Since you are using Client Certificate to secure your endpoint, The HTTPs protocol is required from API Gateway. API Gateway service doesn't trust any integration endpoints without a valid certificate. Also, there is a very clear documentation about how to setup Client side certificate auth in Nginx. You might want to take a look as well.