问题
Follow up to AWS API Gateway should prevent use of TLS v1, I created a Cloudfront distribution with below config
Origin Domain Name as my Gate API endpoint https://abcdfefg.execute-api.us-east-1.amazonaws.com Viewer Protocol Policy as HTTPS Only Origin SSL Protocols as TLSv1.2, TLSv1.1 (Unchecked TLSv1) other defaults
After the distribution was deployed, when I access my Gateway API with custom domain, I still was able to make calls on TLSv1.
How do I map my custom domain to this new cloudfront distribution to enforce TLS settings?
Update-1: In my java test program that calls the Gateway API using custom domain, I enabled below runtime arguments
-Dhttps.protocols=TLSv1 -Djavax.net.debug=all
Output from javax.net.debug confirms TLSv1 Exchange.
*** ClientHello, TLSv1 .... many lines output *** ServerHello, TLSv1 .. Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Confirmed the TLS v1 usage using curl too. Curl output includes:
* SSL connection using TLSv1.0 / ECDHE-RSA-AES128-SHA
回答1:
In order for Gateway API with additional cloud front distribution to work, we need to
- From AWS Console, under API Gateway go to Custom Domain Name and delete the mapped entry.
- Add a CNAME entry in cloud front settings. From AWS Console, follow the instructions under Adding an Alternate Domain Name
After the above changes are completed, accessing the custom domain name on https will enforce the TLS security settings as defined in Cloudfront distribution.
来源:https://stackoverflow.com/questions/46614040/cloudfront-distribution-does-not-enforce-tls-settings-for-gateway-api