AWS API 网关 returns 403 一些和 200 一些

AWS API gateway returns 403 for some and 200 for others

我有一个 api 网关端点,对我来说 returns 200,但是当它被第三方调用时,他们得到 403。

我通过 curl 请求和 python 请求并获得 200

Bash:

curl -X POST -v --http1.1 https://939pd1ndql.execute-api.us-east-1.amazonaws.com/default/bitbucket-events

Python

requests.post('https://939pd1ndql.execute-api.us-east-1.amazonaws.com/default/bitbucket-events',

每个请求我得到 200 个响应。

但是,当第三方调用端点时,他们会得到

HTTPSConnectionPool(host='939pd1ndql.execute-api.us-east-1.amazonaws.com', port=443): Max retries exceeded with url: /default/bitbucket-events (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))

第三部分是 bitbucket - 我正在尝试创建 bitbucket 应用程序(实际上只是一个 JSON 有效负载告诉 bitbucket 创建一个 webhook):

我无法控制 bitbucket 如何执行请求,而且请求非常不透明,但我将其指向 ngrok 并拦截了它发出的请求:

POST /default/bitbucket-events HTTP/1.1
Host: 939pd1ndql.execute-api.us-east-1.amazonaws.com
User-Agent: python-requests/2.22.0
Content-Length: 2292
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/json
Sentry-Trace: 00-41043c2935294252aa25ac44716a2300-86324af91ef0493e-00
X-Forwarded-For: 104.192.142.247
X-Forwarded-Proto: https
X-Newrelic-Id: VwMGVVZSGwQJVFVXDwcPXg==
X-Newrelic-Transaction: PxQPB1daXQMHVwRWAQkDUQUIFB8EBw8RVU4aWl4JDVcDUgoEBVcLVlNXDkNKQQoBBlZRAAQHFTs=

{LOTS OF JSON HERE}

bitbucket 发送的请求中没有任何内容看起来会导致此问题。

我从 c​​url 命令得到的响应是:

*   Trying 3.84.56.177...
* TCP_NODELAY set
* Connected to 939pd1ndql.execute-api.us-east-1.amazonaws.com (3.84.56.177) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.execute-api.us-east-1.amazonaws.com
*  start date: Jul 22 00:00:00 2021 GMT
*  expire date: Aug 20 23:59:59 2022 GMT
*  subjectAltName: host "939pd1ndql.execute-api.us-east-1.amazonaws.com" matched cert's "*.execute-api.us-east-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> POST /default/bitbucket-events HTTP/1.1
> Host: 939pd1ndql.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 12 Apr 2022 22:00:39 GMT
< Content-Type: application/json
< Content-Length: 0
< Connection: keep-alive
< x-amzn-RequestId: 78585bb0-5db4-4273-9333-45ef8b44952d
< Access-Control-Allow-Origin: *
< x-amz-apigw-id: QfN1IHrSoAMFrMw=

我现在已经将 api 网关下放为一个模拟端点,returns 200 响应:

并且我已将日志记录设置为非常响亮:

但我只看到日志条目是我发出的 curl 和 python 请求的结果。 bitbucket 请求不会生成日志行。

这是否意味着 bitbucket 请求在我的 api 网关处理请求之前被 AWS 拒绝了?我没有启用 WAF

如你所知,我 运行 没主意了。

我复制了您的设置,但使用了我自己的 API 网关。虽然我能够安装该应用程序,但强烈怀疑它与您的 API 网关设置有关。

我使用的是完全相同的应用程序描述符,只有 URL 不同。

{
    "key": "codereview.doctor.staging",
    "name": "Code Review Doctor Staging",
    "description": "Target lambdas with 'staging' version alias",
    "vendor": {
        "name": "Code Review Doctor",
        "url": "https://codereview.doctor"
    },
    "baseUrl": "https://fj7987nlx3.execute-api.ap-southeast-1.amazonaws.com",
    "authentication": {
        "type": "jwt"
    },
    "lifecycle": {
        "installed": "/default/bitbucket-events",
        "uninstalled": "/default/bitbucket-events"
    },
    "modules": {
        "webhooks": [
            {
                "event": "pullrequest:created",
                "url": "/default/bitbucket-events"
            },
            {
                "event": "pullrequest:updated",
                "url": "/default/bitbucket-events"
            },
            {
                "event": "pullrequest:fulfilled",
                "url": "/default/bitbucket-events"
            }
        ]
    },
    "scopes": ["account", "repository", "pullrequest"],
    "contexts": ["account"]
}

我的 API GW POST 配置看起来和你的完全一样,所以不同之处可能在其他地方。

请注意,我已经删除了我的 API GW 阶段,因此您暂时无法使用我的进行测试。