- Newest
- Most votes
- Most comments
Using client-side SSL certificates (often called mutual TLS or mTLS) is a solid approach for adding an extra layer of security. AWS offers a few services that can act as a 'gateway' and enforce client-side SSL certificate verification. Here's a step-by-step guide using AWS services:
1. AWS API Gateway
AWS API Gateway can also act as a 'gateway' and offers mutual TLS authentication.
Steps to Set Up:
CA and Client Certificates: Same as the above steps, you need a CA and client certificates.
Setup API Gateway:
- Create a new Regional API.
- For each endpoint in your application, create a corresponding endpoint in API Gateway.
- Configure API Gateway to route the traffic to your application. This could be done using HTTP integrations.
Configure Mutual TLS: In the API Gateway settings, configure mutual TLS and provide your CA certificate.
Deploy API: Deploy your API to a new or existing stage.
Update DNS: Point your domain's DNS settings to the API Gateway's URL.
The same principle applies here: API Gateway will verify the client certificates using the provided CA certificate.
While API Gateway is designed primarily for APIs, you can use it to serve static websites or any other web content. The key consideration is the integration type you choose. If you use HTTP/HTTP_PROXY integration, you can forward the requests to another HTTP backend (like a web server). However, keep in mind:
- There's a payload size limit on API Gateway (10 MB for requests and responses combined, as of my last update).
- API Gateway might introduce added latency because it's primarily designed for API-like workloads.
- Custom domain setups might be a bit more complex since you'd typically use API Gateway's default URL or set up a custom domain through the service.
As for the documentation, it's always a good idea to refer to the AWS official documentation for the most updated and detailed instructions. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
2. Using AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX
For your HTTPS pass-through requirements with client-side SSL verification, AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX (or another web server) instance or container is also an approach you can consider. This web server would handle the mTLS verification. However, this method might be a bit more involved, as you'd need to set up and maintain the NGINX configuration.
3. Distribution:
Regardless of the method you choose, distributing client certificates to employees might be a challenge. Consider:
- Creating a guide that shows them how to install the certificate in their browsers.
- Rotating the certificates periodically for added security.
- Using a certificate management solution if the scale is large.
This approach ensures that the security measure is independent of the application and can be reused for multiple applications/services as you mentioned.
This might be useful, using mTLS feature of API Gateway, Propagating valid mTLS client certificate identity to downstream services using Amazon API Gateway. You could also implement your IP allow list in a resource level policy on the API.
Relevant content
- asked 2 years ago
- asked 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
Thanks for your detailed answer. The ALB option sounds ideal. Looking at the console when creating an ALB and looking through the docs, I can't seem to find information about the "Configure Client Certificate Verification" step. Can you kindly point me to the relevant part of the docs? Regarding the 2nd option using API Gateway - will that work for normal web-sites/pages, or only API requests?
I apologize for any confusion. Let me correct myself, AWS Application Load Balancer (ALB) does not support client-side SSL certificate verification (mutual TLS). My mistake for mentioning it as a solution in that context. For your HTTPS pass-through requirements with client-side SSL verification, AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX (or another web server) instance or container is a more appropriate approach. This web server would handle the mTLS verification. However, this method might be a bit more involved, as you'd need to maintain NGINX configuration.
For the API Gateway: Yes, while API Gateway is designed primarily for APIs, you can use it to serve static websites or any other web content. The key consideration is the integration type you choose. If you use HTTP/HTTP_PROXY integration, you can forward the requests to another HTTP backend (like a web server). Given that the context of the ALB for mTLS was incorrect, for setting up mutual TLS on API Gateway, you can refer to the official AWS documentation on mutual TLS authentication for API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
Thanks for the clarification and edit to the answer. ChatGPT4 offered the same incorrect advice as your original answer. 2 is not an option for us as we don't want to hack the existing (containerized) website service. If API gateway can serve regular web traffic (with HTTP/S, including AJAX requests and the like) then that might work.