Reputation: 22244
Why AWS API Gateway requires SNI?
Question
- Is there a specific reason why API Gateway requires the HTTP/S client to support SNI?
- Which AWS document clearly states the SNI requirement?
About Question 2
I believe SNI is an extension to TLS and TLS version 1.2 does not require to support SNI as far as I looked into RFC. TLS 1.3 requires it as mandatory but it looks AWS API Gateway has not adopted 1.3 yet as per the AWS document Supported SSL/TLS Protocols and Ciphers for Regional, Private, and WebSocket API Endpoints in API Gateway.
Hence, I suppose enforcing SNI, if AWS API Gateway actually does so, seems to be AWS specific requirement or limitation to be clearly noted, but so far I could not find the AWS documentation stating as such.
Hence I believe there should be an AWS documentation which states below, but please correct if wrong.
- HTTP/S client to use API gateway must support SNI
- For SNI unsupported HTTP/S client, use CloudFront (or other ways if available) and do not forward HOST header.
References
API Gateway requires a https connection with a client that support server name indicator (SNI)
You can indeed put CF dist in front of APIG, the trick is to force HTTPS only "Viewer Protocol Policy" AND to NOT forward the HOST header because APIG needs SNI.
Upvotes: 0
Views: 2259
Answers (1)
Reputation: 297
As far as I know SNI is not required for the API Gateway, this is a configuration option, but not a requirement.
The documentation I once used to understand a similar scenario clearly states that SNI is an option, but a dedicated IP address can be used to support users that can't use a modern TLS client (browser) which support SNI.
Server Name Indication (SNI) is one way to associate a request with a domain. Another way is to use a dedicated IP address. If you have users who can't upgrade to a browser or client released after 2010, you can use a dedicated IP address to serve HTTPS requests.
Per your question I will assume your API Gateway is configured to use SNI with CloudFront, since as also described in the following API Gateway documentation:
API Gateway supports edge-optimized custom domain names by leveraging Server Name Indication (SNI) on the CloudFront distribution.
Upvotes: 2
Related Questions
- AWS API-Gateway communicating to SNS
- Custom domain name in AWS Gateway API configured with TLS v.1.0 but seems in practice to be using TLS v.1.2. How can this be?
- AWS API Gateway should prevent use of TLS v1
- AWS Api Gateway and S3
- Why API Gateway websocket publish a https connection?
- Why use SNS to trigger a lambda function, and not API gateway?
- Security of AWS API Gateway
- Encryption in transit between AWS Resources (Lambda and API Gateway)
- AWS serverless architecture – Why should I use API gateway?
- AWS SNS is bypassing API Gateway and calling Lamba functions directly