AWS Elastic Beanstalk open only to API Gateway

3
votes

How can I restrict access for Elastic Beanstalk only to API Gateway?

I've found similar question here, where it's recommended to create certificate on API Gateway.

My backend solution is like on the image:

enter image description here

I've created certificate in API Gateway (AWS doc).

1. Which element should authenticate API using the PEM-encoded certificate generated by API Gateway?

2. Is it possible to do that on Elastic Load Balancer (ELB) or should I do that on App instance, where nginx is running?

1
amazon-web-servicessslnginxamazon-elastic-beanstalkaws-api-gateway
I'm not sure if this is a documentation error or a real issue but they are currently listing nginx in "Known Issues" as a backend that may not support SSL client authentication compatible with API Gateway: docs.aws.amazon.com/apigateway/latest/developerguide/… - Dave Maple

1 Answers

0
votes

Since ELB doesn't support two SSL authentication, you should authenticate the certificate on your nginx server.

You can configure the nginx server like this to accept the client certificate from API Gateway.

server {
    listen        443;
    ssl on;
    server_name example.com;

    ssl_certificate      /etc/nginx/certs/server.crt;
    ssl_certificate_key  /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client optional;

    location / {
        root           /var/www/example.com/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_param  SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
        fastcgi_param  VERIFIED $ssl_client_verify;
        fastcgi_param  DN $ssl_client_s_dn;
        include        fastcgi_params;
    }
}

Then, use the Test Invoke feature on API Gateway console to test this setup if it works for you.