This is a docker-based reverse proxy solution running between AWS API Gateway and backend server with capabilities of API Gateway client certification verification and SSL/TLS termination.
-
a FQDN for your proxy service, e.g. proxy.pahud.net
-
site certificate, full certificate chain and private key of the proxy FQDN (self-signed cert will prevent API Gateway from SSL handshaking so make sure the cert is signed by trusted CA)
-
client certificate generated by AWS API Gateway(HOWTO)
-
install docker daemon on the proxy server
-
checkout the repository into the proxy server
-
$ cd apigateway-reverse-proxy
-
save your full certificate chain, privaet key and client certificate into
apigateway-reverse-proxy
-
edit
build.sh
, configurePRIVATE_KEY
CERT
andCLIENT_CERT
variables to the local path of the private key, full certificate chain and client certificate respectively. -
build the docker image by
$ bash build.sh
-
on built success, you will have
apigw-reverse-proxy
as the docker image# docker images apigw-reverse-proxy REPOSITORY TAG IMAGE ID CREATED SIZE apigw-reverse-proxy latest 34116d8ad2f9 15 minutes ago 433.2 MB
-
edit
run.sh
, configureSERVER_NAME
andBACKEND_SERVER_NAME
for your environmentSERVER_NAME='proxy.pahud.net' BACKEND_SERVER_NAME='debug.pahud.net'
- SERVER_NAME is the FQDN of the proxy server
- BACKEND_SERVER_NAME is the FQDN of proxied service behind the proxy
The architecture will look like this:
API client—>AWS API Gateway —> SERVER_NAME(i.e. the proxy) —> BACKEND_SERVER_NAME(i.e. the backend server)
- start the proxy service by
bash run.sh
- create a API resource/method in AWS API Gateway console with HTTP Proxy integratin
- configure the SERVER_NAME in the Endpoint URL e.g. https://proxy.pahud.net
- make sure select correct client certificate in the Stage Editor
- deploy the stage
- send a request to API Gateway and see if it returns correctly
please note the default nginx.conf.skeleton configuration is having a prefix and rewrite rule of /v1
location ~ "^/v1/(.+)" {
rewrite /v1/(.*) /$1 break;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}
In this case, https://SERVER_NAME/v1/{location}
will be rewritten and proxy_pass tohttps://BACKEND_SERVER_NAME/{localtion}
If you need full site proxy without URL rewrite, update the nginx.conf.skeleton from:
location ~ "^/v1/(.+)" {
rewrite /v1/(.*) /$1 break;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}
# toggle off the comments for whole site proxy
#location / {
# proxy_ssl_server_name on;
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# proxy_set_header Host '%BACKEND_SERVER_NAME%';
# proxy_pass https://%BACKEND_SERVER_NAME%;
#}
to
#location ~ "^/v1/(.+)" {
# rewrite /v1/(.*) /$1 break;
# proxy_ssl_server_name on;
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# proxy_set_header Host '%BACKEND_SERVER_NAME%';
# proxy_pass https://%BACKEND_SERVER_NAME%;
#}
# toggle off the comments for whole site proxy
location / {
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}