时间戳

首页 > 解决方案 > AWS API 网关 MissingAuthenticationToken

ssl-certificate - AWS API 网关 MissingAuthenticationToken

问题描述

我有一个名为 api-gateway-v1 的 api。这个 api 是一个 http_proxy。method_request 授权设置为 NONE。method_execution 设置为直通。

有两个自定义域名调用相同的 api(同一阶段)。custom-domain-name-1 没有mutual_tls 按预期工作。custom-domain-name-2 的mutual_tls 按预期工作。

自定义域 1 卷曲详细 o/p:

    curl -v --location --request POST 'https://custom-domain-name-1/v1' --header 'Content-Type: application/json' --data-raw {"email":"email@example.com","password":"mypassword"}'

        
        TCP_NODELAY set
         Connected to custom-domain-name-1 (1.2.3.5) port 443 (#0)
         ALPN, offering h2
         ALPN, offering http/1.1
         successfully set certificate verify locations:
           CAfile: /etc/ssl/certs/ca-certificates.crt
         CApath: /etc/ssl/certs
         TLSv1.3 (OUT), TLS handshake, Client hello (1):
         TLSv1.3 (IN), TLS handshake, Server hello (2):
         TLSv1.2 (IN), TLS handshake, Certificate (11):
         TLSv1.2 (IN), TLS handshake, Server key exchange (12):
         TLSv1.2 (IN), TLS handshake, Server finished (14):
         TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
         TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
         TLSv1.2 (OUT), TLS handshake, Finished (20):
         TLSv1.2 (IN), TLS handshake, Finished (20):
         SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
         ALPN, server accepted to use h2
         Server certificate:
          subject: CN=custom-domain-name-1
          start date: Mar  1 00:00:00 2021 GMT
          expire date: Mar 30 23:59:59 2022 GMT
          subjectAltName: host "custom-domain-name-1" matched cert's "custom-domain-name-1"
          issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
          SSL certificate verify ok.
         Using HTTP2, server supports multi-use
         Connection state changed (HTTP/2 confirmed)
         Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
         Using Stream ID: 1 (easy handle 0x55c4d244ae10)
        POST /v1 HTTP/2
         Host: custom-domain-name-1
         user-agent: curl/7.68.0
         accept: */*
         content-type: application/json
         content-length: 76
         
         Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
         We are completely uploaded and fine
         HTTP/2 200 
         date: Tue, 10 Aug 2021 07:56:41 GMT
         content-type: application/json
         content-length: 1009
         x-amzn-requestid: 8997bed9-b2d5-48fe-8cf2-0d9166ec489d
         x-amzn-remapped-connection: keep-alive
         x-ratelimit-remaining: 999
         x-amz-apigw-id: abc=
         cache-control: private, must-revalidate
         x-amzn-remapped-server: nginx
         x-ratelimit-limit: 1000
         x-content-type-options: nosniff
         expires: -1
         pragma: no-cache
         x-amzn-remapped-date: Tue, 10 Aug 2021 07:56:41 GMT
         
         Connection #0 to host custom-domain-name-1 left intact
        {"success":{"token":"XYZ"}}

自定义域 2 curl 详细 o/p:

curl -v --key form.key --cert cert.pem https://custom-domain-name-2/v1 --header 'Content-Type: application/json' --data-raw '{"email":"email@example.com","password":"mypassword"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
   Trying 54.251.193.98:443...
 TCP_NODELAY set
 Connected to custom-domain-name-2 (1.2.3.4) port 443 (#0)
 ALPN, offering h2
 ALPN, offering http/1.1
 successfully set certificate verify locations:
   CAfile: /etc/ssl/certs/ca-certificates.crt
 CApath: /etc/ssl/certs
 TLSv1.3 (OUT), TLS handshake, Client hello (1):
 TLSv1.3 (IN), TLS handshake, Server hello (2):
 TLSv1.2 (IN), TLS handshake, Certificate (11):
 TLSv1.2 (IN), TLS handshake, Server key exchange (12):
 TLSv1.2 (IN), TLS handshake, Request CERT (13):
 TLSv1.2 (IN), TLS handshake, Server finished (14):
 TLSv1.2 (OUT), TLS handshake, Certificate (11):
 TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
 TLSv1.2 (OUT), TLS handshake, CERT verify (15):
 TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
 TLSv1.2 (OUT), TLS handshake, Finished (20):
 TLSv1.2 (IN), TLS handshake, Finished (20):
 SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
 ALPN, server accepted to use h2
 Server certificate:
  subject: CN=custom-domain-name-2
  start date: Aug  5 00:00:00 2021 GMT
  expire date: Sep  3 23:59:59 2022 GMT
  subjectAltName: host "custom-domain-name-2" matched cert's "custom-domain-name-2"
  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
  SSL certificate verify ok.
 Using HTTP2, server supports multi-use
 Connection state changed (HTTP/2 confirmed)
 Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
 Using Stream ID: 1 (easy handle 0x555588810e10)
 POST /v1 HTTP/2
 Host: custom-domain-name-2
 user-agent: curl/7.68.0
 accept: */*
 content-type: application/json
 content-length: 66
 
 We are completely uploaded and fine
 Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
 HTTP/2 403 
 x-amzn-requestid: abc-123
 x-amzn-errortype: MissingAuthenticationTokenException
 x-amz-apigw-id: 123-abc
 content-type: application/json
 content-length: 42
 date: Wed, 11 Aug 2021 10:53:59 GMT
 
 Connection #0 to host custom-domain-name-2 left intact {"message":"Missing Authentication Token"}

连接似乎很好,但 HTTP 代码正在改变。
有没有人了解正在发生的事情?

标签: ssl-certificateaws-api-gateway

解决方案

我通过启用缺少的 CORS 解决了这个问题。

推荐阅读