问题
I have deployed node js app to ec2 instance of single instance type through elasticbeanstalk. After this I deployed my app through amazon api gateway. My EC2 instance is public. I want to restrict it in such a way that it only accepts request from amazon api gateway.
To do this I am following this https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
I generated a client side certificate through api gateway but I don't know how to use or install this certificate on EC2 instance so that EC2 instance accepts requests only from aws api gateway. I am using Node js server in my application.
Please help.
回答1:
The API Gateway client certificate feature does not use ACM certificates.
For client certificates, API Gateway generates its own, self-signed certificates and makes the PEM-encoded public key of the client certificate available to you for configuring you web server. API Gateway keeps the certificate's private key and uses it when making requests to your web server. By design, there is no way to export the private key from API Gateway so you can be certain that the caller is API Gateway as no one else can get the private key.
To get the PEM-encoded public key of the client certificate, call get-client-certificate as documented here
Note that you must also configure you web server with a server certificate signed by a certificate authority which API Gateway trusts. Don't confuse this with the certificate used for a custom domain name. Those are used for TLS termination of incoming requests to your API. The server certificate I'm talking about for this use case is just used on your backend web server so API Gateway can call it via TLS.
It is recommended that you obtain, deploy, configure, and test with your server certificate before you enable the client certificate in API Gateway. Once, you have your server certificate working with API Gateway, then enable the client side certificate and modify your web server to require it.
This article describes how to configure both server side and client side certificates with Node.js.
来源:https://stackoverflow.com/questions/44016193/how-to-configure-backend-server-to-use-client-side-ssl-certificates-generated-by