1

We have a container-based service running in AWS ECS with the front end hosted by AWS Cloudfront, and authorization handled by AWS Cognito. I'm trying to configure Wiremock to be a proxy for this service so I can record the calls and mappings to later use in unit tests for a client app I'm writing in python.

I'm running the Wiremock server in standalone mode, and have it proxying to calls to the url of our service. However, Cloudfront keeps returning either a 403-Bad Request error or 403-Forbidden error when I connect via Wiremock.

When I use curl, and pass all the correct headers (Content-Type: application/json, Authentication: Bearer ) it works just fine when I use https://myservice.example.com/api/foo. But as soon as I swap out "myservice.example.com" for "localhost:8000", I get the Cloudfront generated errors.

I'm guessing I have some mis-configuration where, despite passing the headers to Wiremock, I haven't properly told Wiremock to pass those headers on to "the service", which is really Cloudfront.

Not being a Java guy, I'm finding the Wiremock docs a little difficult to understand, and am trying to use the command-line arguments to configure Wiremock like this:

/usr/bin/java -jar \
  ./wiremock-jre8-standalone-2.35.0.jar \
  --port=8000 \
  --verbose \
  --root-dir=test_data/wiremock \
  --enable-browser-proxying \
  --preserve-host-header \
  --print-all-network-traffic \
  --record-mappings \
  --trust-proxy-target=https://myservice.example.com \
  --proxy-all=https://myservice.example.com

Request:

$ curl -k -X GET -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${JWT}" \ 
    http://127.0.0.1:8000/api/foo

Response:

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>CloudFront</center>
</body>
</html>

When using exactly the same curl command, but changing the URL to point directly at my service instead of the proxy, I get the response I expected (hoped for?) through the proxy:

curl -k -X GET -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${JWT}" \ 
    https://myservice.example.com/api/foo 

[
  {
    "id": "09d91ea0-7cb0-4786-b3fc-145fc88a1a3b",
    "name": "foo",
    "created": "2022-06-09T02:32:11Z",
    "updated": "2022-06-09T20:08:43Z",
  },
  {
    "id": "fb2b6454-4336-421a-bc2f-f1d588a78d12",
    "name": "bar",
    "created": "2022-10-05T06:23:24Z",
    "updated": "2022-10-05T18:34:32Z",
 }
]

Any help would be greatly appreciated.

Thanks.

pll
  • 116
  • 1
  • 5
  • Could you paste the full details of the request you're making and the errors you're seeing? – Tom Dec 19 '22 at 11:25
  • @Tom - Edited the above to show the request and responses. – pll Dec 21 '22 at 13:45
  • Try removing --preserve-host-head as I think this might result in it sending Host:localhost:8000, which cloudfront wouldn't recognise. – Tom Dec 21 '22 at 15:47
  • Tried that and ended up with: ``` AccessDeniedAccess DeniedP79J6RD20TG52SABwLTVtyNfR3KMoXC9vVUQYVsnp92PxPRyvXkISwnraDYxMabiTNbW6ngStK6iQUlieusIHevLxOU=``` – pll Dec 22 '22 at 01:58
  • Are you trying to access an AWS API or a service of your own via Cloudfront? – Tom Dec 22 '22 at 18:26
  • The latter. The service is our own. The API is our own. The service is front-ended by Cloudfront. Thus, https://myservice.example.com/api/foo first hits CF and gets redirected to the actual contain running the service. Which means http://127.0.0.1:8000/api/foo must proxy for https://myservice.example.com/api/foo, and traffic will hit CF, then my service. I wonder if I somehow have to also handle *.cloudfront.net, since myservice.example.com resolves to CF IPs. – pll Dec 23 '22 at 01:03

0 Answers0