I have a REST API serving behind API Gateway.
I have a Route53-hosted zone: myAWSHostedDomain.myCompanyDomain.com
I have also created a certificate in ACM: myApp.myAWSHostedDomain.myCompanyDomain.com
The certificate has an additional domain:
myApp.myCompanyDomain.com
The cert has been issued without any problem, both domains were validated.
In the company non-AWS-hosted zone myCompanyDomain.com, I have a CNAME pointing myApp to myApp.myAWSHostedDomain.myCompanyDomain.com. It resolves OK.
I have configured a Custom Domain for that API Gateway using that certificate. The name that shows is myApp.myAWSHostedDomain.myCompanyDomain.com. Which is fine because it's the main domain for that cert.
The problem I have is that all the requests made to myApp.myCompanyDomain.com fail with a 403 Forbidden error, while those same requests on the myApp.myAWSHostedDomain.myCompanyDomain.com work just fine. The app code has nothing to do with it, a request for a favicon.ico behaves the same way.
The API Gateway endpoint is configured as a Regional one.
Could it be that API Gateway's custom domain only takes the main domain from the certificate and doesn't work with the additional ones? Is there a way to fix this?
So, the problem is that the request fails with a 403 forbidden error, because API Gateway is unable to set the correct Host header, which is required for the request to succeed.
If I do:
curl https://myApp.myCompanyDomain.com/favicon.ico -H "Host:myApp.myAWSHostedDomain.myCompanyDomain.com"
Then, it works.
Hence, the options here are the following:
Create a DNS record in Route53 for myApp.myCompanyDomain.com.
While calling the API, add a Host header to the request, with the value set as the value for the DNS record.
Create a new API Gateway where the main custom domain corresponds with the one in the API Gateway: myApp.myCompanyDomain.com work instead of myApp.myAWSHostedDomain.myCompanyDomain.com work.
Related
I tried to create a HTTP API through API Gateway.
This API generated a URL e.g. https://{api-id}.execute-api.{region}.amazonaws.com/
This endpoint works as intended.
After this; I created a custom domain name and under "Api Mappings", I added this newly created API, set the stage the $default and left Path (Optional) as blank. This generated another endpoint (which is supposed to be added as an A record in Route53). When I try to hit this new endpoint; I get {"message":"Not Found"}. This "connection" between the custom domain endpoint and the working api gateway endpoint doesn't seem to work. Any pointers on how to fix this?
Other Information:
I own the custom domain
Adding a custom domain required uploading a SSL certificate (I had a valid one and I uploaded it - verified and all good)
The API is a basic HTTP API which refers to a Cloudfront URL. This endpoint is fully functional and working as expected.
Endpoint Type: Regional
No multiple "Stages" for API/Routes - only a $default one
I am looking to host an API which I can control customer access to using API Keys, Usage Plans, and Cognito. This is my first time trying to bootstrap DNS+SSL and I can't figure out the basic plumbing to get SSL working when I connect API gateway to my beanstalk environment.
I've got example.com purchased on namecheap. I've got namecheap DNS set up to forward the api subdomain to AWS DNS via an NS record. I've got an API gateway with a custom domain name of api.example.com mapped to an API with a production stage. I've then got route 53 set up to point api.example.com to that API gateway stage. I can curl api.example.com and because I have a cognito user pool authenticator, I see Unauthorized as the response.
What I'm stuck on is how to connect this to my elastic beanstalk environment. My current attempt involves turning the API Gateway into a "HTTP Proxy", and tweaking the endpoint url. Except I'm not sure what to put there, or how to configure what I put there because the Test button in API GW often throws an error.
I'm currently trying to use the domain name of the load balancer in front of beanstalk: https://load-balancer-in-front-of-beanstalk-endpoint.com/{proxy}. I've tried a few configs on that load balancer, but I'm not sure what cert to give it because when I try api.example.com,
it fails with "Host name dualstack.awseb.foo.elb.amazonaws.com does not match the cert provided by peer(api.example.com)".
Some other questions mentioned setting an alias for api.example.com to point to the load balancer's ip... except for me it already points to the API GW, so I think I've gone wrong somewhere. Could use some pointers.
I'm trying to set up an API using a REGIONAL custom domain that routes HTTP requests to ALB.
The domain is registered with another DNS provider so I will not be using Route53.
Concept:
/path/to/service --> ALB (Listener: /path/*) --> ECS
I first tried with the original invoke URL https://cuxxxxmvk0.execute-api.ap-east-1.amazonaws.com/stage/path/to/service, it returns ALB context path error (It's expected because ALB gets /stage/path/to/service which doesn't hit any prefix).
Then I created a custom domain with API mapping (no base path) that maps to the stage, and try invoking it with the provided "API Gateway domain name" (The one generated by custom domain). Full URL: https://d-yjexxxds3.execute-api.ap-east-1.amazonaws.com/path/to/service
However, it returns {"message":"Not Found"}
API Gateway domain name
So my question here is:
How does the "API Gateway domain name" generated by custom domain works? Can I directly invoke the API with it?
Is it a must to CNAME it (i.e. CAME api.mydomain.com d-yjexxxds3.execute-api.ap-east-1.amazonaws.com)?
Can I make my final endpoint to be api.mydomain.com/path/to/service without the stage in path?
From the question I can see that you're trying to use CNAME to resolve to URL/some/path but that's not how it works. DNS service will only map your CNAME to some other URL only. The path (/some/path) part will remain same from your domain or API-GW URL.
Other thing to note here is that since you're not using Route53, you do not need Custom Domain Name of API-GW. Create a CNAME which is something like
example.com CNAME d-yjexxxds3.execute-api.ap-east-1.amazonaws.com
I would suggest you add /stage in your ALB prefix so that it can be accessed by API-GW and your own domain.
How does the "API Gateway domain name" generated by custom domain works? Can I directly invoke the API with it?
Yes, you can
Is it a must to CNAME it (i.e. CAME api.mydomain.com d-yjexxxds3.execute-api.ap-east-1.amazonaws.com)?
It is either CNAME (when the DNS is managed by an external provider) or it can be ALIAS (directly returning A records if you manage the DNS in Route53). Please note you need a validated certificate in the certificate manager.
Can I make my final endpoint to be api.mydomain.com/path/to/service without the stage in path?
https://d-xxxxxxds3.execute-api...
As far I know you should invoke the API by defined custom domain name (api.mydomain.com). If calling the d-.. domain will work, I'm not sure
https://api.mydomain.com/path/to/api
I'm not sure what is not working in your setup. Indeed in the custom domain mapping you can have a mapping directly to certain stage, so you may invoke the API as https://customdomain/path/to/api We have it working this way.
Long story short, your setup / idea is generally good. You may enable logging on the API Gateway or stage to find out what is not working (if the NOT FOUND is retuned by the API GW or backend ELB)
I'm currently testing out how to setup CloudFront with Regional Api Gateway that includes a Custom Domain but have run into a bit of snag.
I would like to be able to use: https://mySuperDomain.com/rest/get_stuff
Setup:
Api Gateway
I have a regional Api Gateway that points to a Lambda function.
The Gateway includes a Cognito Authorizer
The Integration Request is a Lambda Proxy
The base Resource is "/" with Methods: GET & OPTIONS
The stage is "dev"
Custom Domain name and ACM are set to "mySuperDomain.com"
Configuration is also Regional
Directly calling the url works as expected: https://XXXXXXXX.execute-api.REGION.amazonaws.com/dev
Route53
A record is an alias that points to the CloudFront Distribution
Base domain also contains NS, SOA, and MX
CloudFront
Origins:
Alternate Domain Names: www.mySuperDomain.com & mySuperDomain.com
Origin and Domain Path: XXXXXXXX.execute-api.REGION.amazonaws.com/dev
HTTPS only
Behaviors:
/rest/*
Origin group is set to the Origin
HTTPS only
This is where things get confusing.
When including no headers, I get a "Missing Authentication Token" error. This signals to me that I'm hitting the correct endpoint but the Authentication Token is not making it through CloudFront.
However, when I whitelist what I describe as the kitchen sink: "Authorization, Host, Origin, Referer, Accept-Datetime", I get 403 Forbidden when calling: https://mySuperDomain.com/rest/get_stuff.
What am I missing in order to access the specified custom domain URL? Thanks ahead of time.
I'm trying to build a serverless app with AWS. My API is working fine, but my custom domain is not. I'm receiving a 403 forbidden answer. This is how it's configured my custom domain:
And then I'm using the Target URL provided by this Custom Domain in Route 53 as CNAME. How can I fix this?
The CNAME should point to the CloudFront endpoint (*.cloudfront.net) rather than the API Gateway endpoint (*.execute-api.[region].amazonaws.com).
The CloudFront endpoint can be found by going to API Gateway -> Custom Domain Names. A CloudFront domain should be listed under "Target Domain Name".