Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx proxy_pass to aws Api Gateway

I want to configure Nginx reverse proxy server which will redirect all of the requests it gets by HTTP to my AWS Api Gateway endpoint which is HTTPS (its a GET method). (If you want to know why, the reason for this is that I have an AWS Lambda function which I want a 3rd party vendor to call via Api Gateway, but he currently has a bug with ssl_handshake with AWS, probably because of SNI. So I will give him this HTTP proxy server).

I've tried something like this:

server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  MY_SERVER_NAME;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass https://SOMETHING.execute-api.REGION.amazonaws.com/dev/RESOURCE/METHOD;               
                proxy_ssl_server_name on;
                proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                proxy_buffering off;
        }
}

But currently I'm getting 403 from CloudFront when I try to call to

http://MY_SERVER_NAME

I feel like I'm missing something in my SSL configurations at Nginx but I'm not sure what.

like image 800
yishaiz Avatar asked Sep 20 '16 10:09

yishaiz


People also ask

Can NGINX act as API gateway?

One advantage of using NGINX as an API gateway is that it can perform that role while simultaneously acting as a reverse proxy, load balancer, and web server for existing HTTP traffic.

Is NGINX a load balancer or API gateway?

NGINX Plus is a software load balancer, API gateway, and reverse proxy built on top of NGINX.

Is AWS API gateway a reverse proxy?

API gateway functions as a reverse proxy to accept all API calls, aggregate the required services, and return the right result. An API gateway has more functionalities than an API proxy, especially in security and monitoring. The Backend for Frontend (BFF) design is commonly used in Microservices development.

Can API proxy act as API gateway?

The benefit of an API Proxy is that it is essentially a lightweight, simple API Gateway. If you already have an existing API and just want to add some basic API security best practices and monitoring capabilities than an API Proxy would probably be the way to go.


2 Answers

Your issue was that you were setting the HTTP Host header that will be sent to AWS API Gateway to the wrong value.

API Gateway needs the HTTP Host header to be set to its own host, e.g. to SOMETHING.execute-api.REGION.amazonaws.com

So you should have:

proxy_set_header Host $proxy_host;

instead of:

proxy_set_header Host $host;

In fact you don't have to explicitly set the proxy Host header because, if not set, Nginx will default it to $proxy_host

See Nginx docs on this

like image 75
Otto Avatar answered Sep 29 '22 22:09

Otto


As @Bob Kinney suggested in the comments, I've implemented the Proxy by using AWS CloudFront instead of this Nginx custom Proxy server.

These are the steps:

  1. Go to Distributions and create new Distribution.
  2. Set the Origin as the S3 bucket of the Lambda function.
  3. Create new Origin in this distribution and leave fields as default except of:
    • set its Origin Domain Name to the ApiGateway endpoint of the Lambda function. E.g. t7mcsqqzcl.execute-api.us-west-1.amazonaws.com
    • Set Origin Protocol Policy as HTTPS Only
  4. Create new Behaviour for the new Origin and set the following:
    • Path Pattern: *
    • Viewer Protocol Policy: HTTP and HTTPS
    • Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
    • Forward Headers: None
    • Forward Cookies: None
    • Query String Forwarding and Caching: Forward all, cache based on all
  5. Check that the new Behaviour is with Precedence 0 so it’s before the other default behaviour of the S3 Origin.

Now we have the Domain Name for our distribution, e.g. d12q4segwfrwl5.cloudfront.net, and we can activate our API, e.g. call http://d12q4segwfrwl5.cloudfront.net/dev/person/name

An example of the json configurations of the CloudFront distribution can be found here.

like image 29
yishaiz Avatar answered Sep 29 '22 23:09

yishaiz