Does Aptible support SSL client certificates?
As described here:
Aptible Endpoints do not support SSL client authentication. Assuming you want to restrict access to your App such that clients must go through the API gateway, these are the options I can think of:
- Leverage IP Filtering to only allow access to the Endpoint from the API gateway, thus forcing all requests to go through the gateway. I don’t think API Gateways have a static IP address but I think you can use a lambda function with a static IP address as a proxy.
- Set up VPC peering between your VPC and the Stack’s and have the API gateway access the Aptible App via an Internal Endpoint. Your other Apps on the Stack can still technically access the Endpoint directly but all external connections will have to go through the API gateway. I don’t think that API gateways exist in a VPC like other resources so there are probably some caveats with this approach. Worst case scenario, a lambda function in your VPC can be used as a proxy.
- You can set up a reverse proxy App that does support SSL client authentication and connect the API gateway to it. This will add an additional set of reverse proxies (AWS LB, Endpoint container, app container) in front of your application unless you deploy the reverse proxy in the same container as your application. You’ll need to use a TCP Endpoint and handle SSL authentication in your application using this solution. The reverse proxy App can then connect to your API via an internal Endpoint or it can run in the same container as the API, as previously mentioned. You may find our tutorial on using nginx with Endpoints helpful for this solution. Again, the internal Endpoint can still be reached by your Apps on the Stack but all external traffic would have to go through the reverse proxy which should deny connections that aren’t from the API gateway.