I'm trying to implement Express Gateway, what i need to do is to publish an API that routes to a TLS authenticated web service.
My question is, how do i configure the gateway so i can achieve this flow:
1- Client send request to http://my.api
2- Gateway takes HTTP Request and sends it to a TLS authtenticated webservice
3- Take the response and send it back to the client
My apologizes for the poor english.
I guess there's nothing special here, just make the gateway listen on the http interface and use the proxy policy to the https server targeting.
Related
I have setup and application which uses a React front-end and Expres/NodeJS back-end. There is an ALB in the mix as well.
So, here is how the flow goes:
The ALB listens on port 443 and there is an Authentication action attached to the listener. This action uses and Amazon Cognito user pool, scope is openid. Once the authentication is successful the ALB redirects the request to the React app which in it's turn sends http requests back to the ALB which redirects them to the Express app on the server-side. I have setup the communication between FE and BE like this because we use Amazon ECS and I don't have a static DNS or IP except for the ALB.
I am unable to get the x-amzn-oidc-data header when console logging the req.headers. This header is important to me because I'd like to verify and work with the JWT that it contains.
I have read most of the docs on the Internet and they say that the ALB automatically sends this header (and couple of others) to the back-end. However, I only see one x-amzn-trace-id which has nothing to do with the JWT issued by Cognito.
Where do you think is my error? My setup seems pretty standard to me - how could I get that header?
Thanks in advance!
If I'm running a local NodeJS server over http, and I use axios or request to send a POST request to an https endpoint with a password as part of the data, is someone able to grab the password if they are monitoring network traffic?
Passwords served over HTTPS in POST data are secure. The fact that the origin of request is a Node.js application doesn't matter as the connection is still over the secure protocol.
I have a Node js backend. I use OAuth 2 for authentication. All the endpoints are secured by this authentication method except one endpoint. I cannot use OAuth in this insecure endpoint because the endpoint is triggered by another server on which I don't have any control. So I cannot tell the other server to send me a token for my backend to validate.
The request to my backend is made with SSL connection. So, in Nodejs is there any way to find out the SSL issuer name or something like that so that my backend can validate the requester? (All the requests to my insecure endpoint comes from the same server)
I was reading the Paypal documentation about how to implement an IPN server to receive payment notification (from Paypal POST requests), but I noticed that the requests are in encrypted with HTTPS, and I would like to implement the server with non-secured HTTP. Is there any issue if I do this? Can I use any library that use HTTPS over a non-secured server?
You cannot receive an https request with an http server. It won't connect. For starters, it won't even be on the right port by default and even if you try to force the correct port, an https request won't connect to an http server.
Instead, you can use an https server in your node.js app as explained here in the nodejs https module.
Can a HTTP server receive HTTPS request (node.js)?
No, it cannot.
Is there any issue if I do this?
Yes, it will not connect.
Can I use any library that use HTTPS over a non-secured server?
No, you cannot. https connections will not connect to an http server.
All payment related stuff should be done over a properly secured https connection so even if you could change the client to use http instead of https, you should not do that and, I'd guess that PayPal prevents that either with their client library or by license because the last thing they want is people implementing PayPal payments over insecure connections.
I have a NodeJS API on Amazon EB and an API on API Gateway.
API Gateway is configure as a proxy to EB.
I can call my API without problem, it's working but I don't know how to manage security.
Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary.
Before using API Gateway I was using JWT but now what shall I do on my Node app? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? Or something else?
The recommended approach to restricting back end access to only API Gateway is to use client side certificates. See documentation here
Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation.
An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. This is generally considered less secure, since its easier for an attacker to obtain your secret value. At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text.