5

I am trying to use API Gateway to route traffic to an internal network load balancer.

All routes to the base path (/) are working, so I know the VPC Link is up and reachable.

I added a proxy resource (/{proxy+}), with ANY http method. In the ANY "Integration Request" I selected:

I can see that the my web server responds with a redirect:

(b9d0c629-31ec-11e8-b452-0f13c3c62b81) Endpoint response body before 
transformations: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="http://abcd1234.cloudfront.net/api/">http://abcd1234.cloudfront.net/api/</a>. If not click the link.
(b9d0c629-31ec-11e8-b452-0f13c3c62b81) Method completed with status: 301

The web page shows:

{"message":"Forbidden"}

Also, if I try to directly link to the CloudFront URL I get the same error.

In addition to the CloudFront URL, I've also tried the following:

  1. Custom Domain Name

    403 Forbidden

  2. The URL of my deployed stage

    {"message": "Internal server error"}

What URL should be in the 'Endpoint URL' field in the integration request?

Chris Rouffer
  • 743
  • 5
  • 14
  • You will want to begin troubleshooting this on your server, because that is what's generating the redirection. It looks like your PrivateLink is working pretty much correctly, but there is something about the incoming request that the server believes should result in a redirect. The server logs should be showing you this. – Michael - sqlbot Mar 28 '18 at 12:51
  • Thanks for the reply. The redirect is supposed to happen, and appears in the server logs. I'm a little further now: "This page is redirecting you too many times." – Chris Rouffer Mar 29 '18 at 15:12

2 Answers2

1

It turns out that the API-Gateway must call the VPC Link with 'http' not 'https' for the VPC Link URL.

Chris Rouffer
  • 743
  • 5
  • 14
  • any documentation that mentions this or just trial and error ? – Aditya Aug 20 '19 at 04:54
  • This depends on the NLB configuration. If it's setup to accept TLS then it can be https. – Neeraj Oct 09 '20 at 08:54
  • You can have https as vpc link url. You need to use same certificate which you used to configure custom domain in apigateway + NLB must use same certificate. I have done it in my project like this- 1. create certificate api.service.com and add SAN app.service.com. 2. in route53 record set create alias entry for app.service.com mapping to your private nlb url. 3. use https://app.service.com url instead of auto generated nlb dns while configuring method in apigateway. – Maulik Dec 11 '20 at 22:51
  • ApiGW can absolutely integrate with an NLB which terminates TLS over VpcLink. You must specify a `uri` as part of your Integration config ie `https://myNlb:{port}/` and the NLB cert cannot be self-signed. – stowns Apr 25 '22 at 14:46
0

Everything seems to be in order in your configuration of API Gateway, including the endpoint URL.

My guess is that you are messing something with the redirections. Is it possible that your server is redirecting to the same place again and again, or that the redirection rules always apply?

To be sure that the problem is at your server's side, try a simpler set up. Try making an API call to somewhere that doesn't redirect, just return a simple response.

Flamma
  • 258
  • 4
  • 15