I have a GraphQL Apollo server running in AWS Fargate (ECS), I'm using API Gateway (HTTP proxy integration) on top. The purpose of that API is to make use of Cognito Authorizer in addition to secure SSL (HTTPS).
This is working fine as far as Graphql HTTP operations are involved (query and mutation)
However Graphql subscriptions are using websockets. The Proxy integration doesn't seem to handle the upgrade to the websocket protocol.
I've tried to define a new websocket API following this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api.html
But nothing seems to work for me. I've tried defining $connect, $disconnect and $default with an HTTP proxy integration to the Apollo server endpoint, but I keep getting:
Error during WebSocket handshake: Unexpected response code: 400
Is it possible to proxy an existing websocket API using Amazon API Gateway? Is HTTP proxy integration the correct integration to use?
Note: The client implementation is fine, as my subscriptions works if I put the direct url to the Apollo server websocket endpoint.
Related
Currently I am using the API Gateway as a kind of proxy to provide https simply
https://random-aws-name.com => http://my-domain.com
The route was $default
The integration setup is HTTP ANY -> http://my-domain.com
I am now having to setup an Websocket server on my domain that is already listening at ws://my-domain.com. I can connect directly to this socket but not using the AWS API Gateway
wss://random-aws-name.com => ws://my-domain.com
Currently I an getting unexpected error 400, using wscat
I tried to enable API gateway logging and do not see any log arrive
IMHO, AWS API Gateway is only able to provide a wss end point and route requests to HTTP backends only. If we already have a backend websocket server, I don't see an option in AWS API Gateway to perform such routing (Although I would be glad to be proven wrong as I have such a requirement myself.).
I actually tried giving wss:// url as the Endpoint URL but I got an error while deploying the API saying Invalid HTTP endpoint specified for URI
Most likely, the API Gateway you are currently using is not a WebSocket API, but rather an HTTP API or REST API. API Gateway has different flavors. You pick a flavor when you deploy. The flavor that you deployed is most likely not the flavor that supports WebSocket connections.
According to this documentation page, proxied WebSocket connections may only be one-way (note in blue box at bottom of page): https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-routes-integrations.html
I am using AWS API Gateway websocket endpoint and I see there are two endpoints created after deploy. One is https the other is wss. I can use websocket client to connect to my service via the websocket endpoint. I wonder why it creates a https endpoint.
I think this is to use #connections commands in your backend service.
With the https endpoint:
Your backend service can use the following WebSocket connection HTTP requests to send a callback message to a connected client, get connection information, or disconnect the client.
I want to integrate websocket api to my ecs managed websocket api running behind ALB. Only http connections are allowd, so i am getting 426 error as upgrade required. How can i send websocket request from api gateway to ALB?
I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?
Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.
How to publish only Http service from WSO2AM?
I am receiving an empty response from the server when I access WSO2AM service from my client.
This is what I am setting for HTTP. Service is working using HTTPS but that is not desired.