将 API 网关的最低 TLS 版本设置为 1.2

Set the minimum TLS version as 1.2 for API Gateway

我有 api lambda 网关,例如

https://x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com/prod/c

现在我只想将此 TLS 设置为超过 1.2。

我在下面找到了文档,但我不确定自定义域是什么...我的 url 是自定义域???

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html

我应该在哪里设置??

我的 curl 回复在这里

$curl -s -v --tlsv1.1  https://x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com/prod/c

*   Trying 65.9.17.XX:443...
* Connected to x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com (65.9.17.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.execute-api.ap-northeast-1.amazonaws.com
*  start date: Sep 27 00:00:00 2021 GMT
*  expire date: Oct 26 23:59:59 2022 GMT
*  subjectAltName: host "x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com" matched cert's "*.execute-api.ap-northeast-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x11f80b600)
> GET /prod/c HTTP/2
> Host: x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com
> user-agent: curl/7.79.1
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

< HTTP/2 400 
< content-type: application/json
< content-length: 0
< date: Thu, 26 May 2022 02:41:55 GMT
< x-amzn-requestid: 73059bd5-7dae-4366-9a43-22fa50a331f2
< x-amz-apigw-id: StlUpHXeNjMFlww=
< x-amzn-trace-id: Root=1-628ee8ea-4bac852e062cd9bc28c64bf8;Sampled=0
< x-cache: Error from cloudfront
< via: 1.1 1eb001a93e05e8dbbe3865b069b8c264.cloudfront.net (CloudFront)
< x-amz-cf-pop: BKK50-C1
< x-amz-cf-id: T3RAkLW5HAdfnuxcVXlRHniwdNiI2JMyMzPxkAqcof1AkMTmJ7r0TQ==
< 

not sure what the custom-domain

这是您为api购买的自己的域名,例如api.myapp.com。只有当您有自己的域与 API 网关关联时,您才能控制其 TLS 设置。

https://kfskdfs.execute-api.ap-northeast-1.amazonaws.com/prod/webhook 归 AWS 所有,因此您无法控制其 SSL 证书或任何相关设置。

自定义域是您拥有的域,例如 mydomain.com 您可以在 API 网关控制台上设置,最重要的是,您可以使用 ACM(AWS 证书管理器)将其分配给通过应用所需的 TLS 策略(首选 1.0 或 1,2)创建自定义域,因此导航到 ACM 并为您的域创建证书,然后将其分配给自定义域。

创建 ACM 证书

创建自定义域并分配 ACM 证书

最后,Select API 映射选项卡并配置 API 映射、select API 和阶段。

API 映射

确保将 DNS 配置为指向 API 网关域名,例如可以使用 Route53 并添加新的 A (ALIAS) 记录。

关于 TLS,是向后兼容的,这意味着在将默认值升级到 1.2 后,使用 1.1 和 1.0 的系统将继续运行,因此如果您的任何处理需要 1.0 和 1.1,它将保持可用。尽管如此,还是建议开发人员仅在 TLS 1.2 上将代码升级到 运行。

希望这些信息对您有所帮助