问题描述
请参阅 AWS Cloudfront文档,AWS API Gateway支持TLS v1.0,v1.1,v1.2.
Refering to AWS Cloudfront Documentation, AWS API Gateway supports TLS v1.0, v1.1, v1.2.
但是我想将Gateway API的加密协议限制为TLS v1.1和v1.2.我在哪里配置?我没有看到我的API的任何Cloudfront发行版.网关资源页面没有用于指定安全协议的选项.
But I want to limit the encryption protocols to TLS v1.1 and v1.2 for my Gateway API. Where do I configure this?I do not see any cloudfront distribution for my API. Gateway resource page does not have an option to specify the security protocol.
我的API使用自定义域在生产环境中运行了两年.知道如何仅在API网关中将我的API限制为TLS V1.1和V1.2协议吗?
My API is running in production for last 2 years using a custom domain.Any idea how do I limit my API to TLS V1.1 and V1.2 protocols only in API Gateway?
推荐答案
为了使具有附加云前端分发功能的Gateway API正常工作,我们需要
In order for Gateway API with additional cloud front distribution to work, we need to
- 从AWS Console的API网关下,转到自定义域名并删除映射的条目.
- 使用以下方法创建新的Cloudfront发行版
- From AWS Console, under API Gateway go to Custom Domain Name and delete the mapped entry.
- Create a new cloudfront distribution with
Cloudfront设置
- 将域名用作您的Gate API端点 https://abcdfefg.execute -api.us-east-1.amazonaws.com
- 仅HTTPS的Viewer协议策略
- 将SSL协议最初设置为TLSv1.2,TLSv1.1(取消选中TLSv1)
- 在备用域名下添加CNAME条目以引用自定义域名
- 和其他一些默认设置完成以上更改后,在https上访问自定义域名将强制执行 Cloudfront 分发中定义的TLS安全设置.
- Origin Domain Name as your Gate API endpoint https://abcdfefg.execute-api.us-east-1.amazonaws.com
- Viewer Protocol Policy as HTTPS Only
- Origin SSL Protocols as TLSv1.2, TLSv1.1 (Uncheck TLSv1)
- Add a CNAME entry under Alternate Domain Name to refer to custom domain name
- and few other defaultsAfter the above changes are completed, accessing the custom domain name on https will enforce the TLS security settings as defined in Cloudfront distribution.
这篇关于AWS API Gateway应阻止使用TLS v1的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!