6

I have a requirement where I need to setup a spoof/mock an AWS server in my local docker compose network... The requirement is to be able to test a set of microservice without letting the microservices know that the endpoint is not actually AWS.

enter image description here

For examples if a microservice, which uses the AWS-SDK, tries to make a service call to create a queue, it makes a call to https://eu-west-1.queue.amazonaws.com. I have a local dns server installed which resolves the same to a reverse proxy server(Traefik) which in turn resolves it to the mock server.

When the service call is made, the service call fails at reverse proxy level stating the below error 

traefik_1     | time="2018-10-11T15:11:28Z" level=debug msg="http: TLS handshake error from 10.5.0.7:59058: remote error: tls: unknown certificate authority"

can anyone help me in setting up the system in such a way that the call is made successfully....

Fr_nkenstien
  • 1,923
  • 7
  • 33
  • 66

3 Answers3

3

You're not going to be able to MITM the https api request and return a different response. You can give the SDK a different url to hit (without https, or with a self-signed cert), and then set up a proxy to proxy requests to amazon when you want them to be send to amazon, and to your other service when you want to mock them.

Some random information on how to change the api request url in the javascript SDK: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/specifying-endpoints.html (as an example)

maxm
  • 3,412
  • 1
  • 19
  • 27
  • Hi @maxm...while I appreciate the answer I want to point out that I am not changing the request at all...I have a localstack server which is an aws mock API...I don't know how this would work but I had thought of installing a self signed certificate on both client and server to establish trust...but as of now..the error is saying that the ca authority is unknown...any idea around that..?? – Fr_nkenstien Oct 12 '18 at 02:45
1

tls: unknown certificate authority

Based on this error message you need to update the list of trusted CA's in your environment. This needs to be done inside each image (or resulting container) that will connect to your mock service. The process varies based on the base image you select, and this question on unix.se covers many of the methods.

The Debian process:

apt-get install ca-certificates
cp cacert.pem /usr/share/ca-certificates
dpkg-reconfigure ca-certificates

The CentOS process:

cp cacert.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

The Alpine process:

apk add --no-cache ca-certificates
mkdir /usr/local/share/ca-certificates
cp cacert.pem /usr/local/share/ca-certificates/
update-ca-certificates
BMitch
  • 231,797
  • 42
  • 475
  • 450
0

You are going to struggle/compromise to intercept the AWS API Calls without bypassing the validation of the cert chain.

I suggest that you provide a Custom Endpoint to the AWS SDK Client in your NodeJS code to point to the LocalStack endpoint. This value could be passed using environment variables in your test environments. 

var sqsClient = new AWS.SQS(
           {endpoint: process.env.SQSCLIENT}
);

Then pass the LocalStack URL into the container for test environments:

docker run mymicroservice -e SQSCLIENT='http://localstack:4576'
Matt D
  • 3,289
  • 1
  • 15
  • 29