can I proxy AWS API Gateway WebSocket to WebSocket? - amazon-web-services

Currently I am using the API Gateway as a kind of proxy to provide https simply
https://random-aws-name.com => http://my-domain.com
The route was $default
The integration setup is HTTP ANY -> http://my-domain.com
I am now having to setup an Websocket server on my domain that is already listening at ws://my-domain.com. I can connect directly to this socket but not using the AWS API Gateway
wss://random-aws-name.com => ws://my-domain.com
Currently I an getting unexpected error 400, using wscat
I tried to enable API gateway logging and do not see any log arrive

IMHO, AWS API Gateway is only able to provide a wss end point and route requests to HTTP backends only. If we already have a backend websocket server, I don't see an option in AWS API Gateway to perform such routing (Although I would be glad to be proven wrong as I have such a requirement myself.).
I actually tried giving wss:// url as the Endpoint URL but I got an error while deploying the API saying Invalid HTTP endpoint specified for URI

Most likely, the API Gateway you are currently using is not a WebSocket API, but rather an HTTP API or REST API. API Gateway has different flavors. You pick a flavor when you deploy. The flavor that you deployed is most likely not the flavor that supports WebSocket connections.
According to this documentation page, proxied WebSocket connections may only be one-way (note in blue box at bottom of page): https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-routes-integrations.html

Related

Identify request handler for API Gateway endpoint using AWS web console

If i make a POST request to API gateway endpoint (configured to handle POST calls), by using AWS console how can i identify which AWS service (lambda/fargate/etc) is configured as request handler for that endpoint.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-basic-concept.html
suggest For Integrations, choose Add integration.
But how can i find handlers/integration for an existing endpoint.
I am only able to identify Invoke URL and lambda service used as authenticator. OR do i need to manually check each Application load balancer ?
If you would like to add Integrate with ALB, you could select the HTTP in Integration Request > Integration Type and input the ALB DNS into Endpoint URL.
Check out this image: Integration Request

Call Amazon Lambda from Extendscript (Or get a http invoke url for Amazon Lambda)

I am trying to call my Amazon Lambda from an extendscript script for After effects, but I can't find a way to get a http (extendscript has no https support) invoke url for the Lambda. Here is the code that I am currently using :
if (conn.open ("<myAPI>.execute-api.us-east-2.amazonaws.com:80")) { // I need the http url here
conn.write ("GET /version1 HTTP/1.0\n\n");
reply = conn.read(512);
conn.close();
}
Currently the only invoke url I can find is https://api.execute-api.us-east-2.amazonaws.com
Is there a way to get a http address instead ? Or to make the https one work with extendscript?
I found a solution, I route the http trafic to the https Gateway using an Amazon CloudFront.
API Gateway does not support http, only https. From docs:
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints.

What's endpoint url in aws api deployment?

I want to deploy my API to AWS, there is an Endpoint URL, but I have no idea what's this
Any help please, thank you.
The HTTP integration will forward any requests to API gateway to your HTTP endpoint which you already must have. For example, you can create some API server of your own on an EC2 instance, and API gateway through HTTP integration will proxy all requests to your instance. In this case, the HTTP endpoint will be your EC2 url.
But if you don't know what is your HTTP endpoint, then probably you don't need to use HTTP integration. Maybe lambda integration would be better.

Proxying an Apollo server websocket through API Gateway

I have a GraphQL Apollo server running in AWS Fargate (ECS), I'm using API Gateway (HTTP proxy integration) on top. The purpose of that API is to make use of Cognito Authorizer in addition to secure SSL (HTTPS).
This is working fine as far as Graphql HTTP operations are involved (query and mutation)
However Graphql subscriptions are using websockets. The Proxy integration doesn't seem to handle the upgrade to the websocket protocol.
I've tried to define a new websocket API following this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api.html
But nothing seems to work for me. I've tried defining $connect, $disconnect and $default with an HTTP proxy integration to the Apollo server endpoint, but I keep getting:
Error during WebSocket handshake: Unexpected response code: 400
Is it possible to proxy an existing websocket API using Amazon API Gateway? Is HTTP proxy integration the correct integration to use?
Note: The client implementation is fine, as my subscriptions works if I put the direct url to the Apollo server websocket endpoint.

AWS API Gateway and AWS Lambda - handling client certificate

I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?
Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.