Nginx reverse proxy for AWS API Gateway
This is a docker-based reverse proxy solution running between AWS API Gateway and backend server with capabilities of API Gateway client certification verification and SSL/TLS termination.
a FQDN for your proxy service, e.g. proxy.pahud.net
site certificate, full certificate chain and private key of the proxy FQDN (self-signed cert will prevent API Gateway from SSL handshaking so make sure the cert is signed by trusted CA)
client certificate generated by AWS API Gateway(HOWTO)
install docker daemon on the proxy server
checkout the repository into the proxy server
$ cd apigateway-reverse-proxy
save your full certificate chain, privaet key and client certificate into apigateway-reverse-proxy
edit build.sh
, configure PRIVATE_KEY
CERT
and CLIENT_CERT
variables to the local path of the private key, full certificate chain and client certificate respectively.
build the docker image by $ bash build.sh
on built success, you will have apigw-reverse-proxy
as the docker image
# docker images apigw-reverse-proxy
REPOSITORY TAG IMAGE ID CREATED SIZE
apigw-reverse-proxy latest 34116d8ad2f9 15 minutes ago 433.2 MB
edit run.sh
, configure SERVER_NAME
and BACKEND_SERVER_NAME
for your environment
SERVER_NAME='proxy.pahud.net'
BACKEND_SERVER_NAME='debug.pahud.net'
The architecture will look like this:
API client>AWS API Gateway > SERVER_NAME(i.e. the proxy) > BACKEND_SERVER_NAME(i.e. the backend server)
bash run.sh
please note the default nginx.conf.skeleton configuration is having a prefix and rewrite rule of /v1
location ~ "^/v1/(.+)" {
rewrite /v1/(.*) /$1 break;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}
In this case, https://SERVER_NAME/v1/{location}
will be rewritten and proxy_pass tohttps://BACKEND_SERVER_NAME/{localtion}
If you need full site proxy without URL rewrite, update the nginx.conf.skeleton from:
location ~ "^/v1/(.+)" {
rewrite /v1/(.*) /$1 break;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}
# toggle off the comments for whole site proxy
#location / {
# proxy_ssl_server_name on;
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# proxy_set_header Host '%BACKEND_SERVER_NAME%';
# proxy_pass https://%BACKEND_SERVER_NAME%;
#}
to
#location ~ "^/v1/(.+)" {
# rewrite /v1/(.*) /$1 break;
# proxy_ssl_server_name on;
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# proxy_set_header Host '%BACKEND_SERVER_NAME%';
# proxy_pass https://%BACKEND_SERVER_NAME%;
#}
# toggle off the comments for whole site proxy
location / {
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host '%BACKEND_SERVER_NAME%';
proxy_pass https://%BACKEND_SERVER_NAME%;
}