问题
I have a NodeJS API on Amazon EB and an API on API Gateway. API Gateway is configure as a proxy to EB.
I can call my API without problem, it's working but I don't know how to manage security.
Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary.
Before using API Gateway I was using JWT but now what shall I do on my Node app? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? Or something else?
回答1:
The recommended approach to restricting back end access to only API Gateway is to use client side certificates. See documentation here
Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation.
An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. This is generally considered less secure, since its easier for an attacker to obtain your secret value. At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text.
来源:https://stackoverflow.com/questions/41429486/aws-api-gateway-elastic-beanstalk-restricted-access