On AWS, is it possible to have CloudFront proxy requests to API Gateway while maintaining the request’s query string

amazon-api-gatewayamazon-cloudfrontamazon-web-servicescachePROXY

I have a CloudFront distribution configured with multiple Origins, including an API Gateway deployment.

I'm trying to create a Behavior on CloudFront so that any requests received to a /api/* path will be redirected to the API Gateway and what I did was to simply create a new Behavior with the path pattern as /api/* and Origin as the API Gateway deployment I mentioned. This works, however any requests containing a query string in it, such as /api/data?since=2020-01-01, will result in a request to API Gateway without the query string, i.e, what will reach API GW is simply /api/data.

To solve this problem, I tried to set a Cache Policy of Managed-CachingOptimized (or even Managed-CachingDisabled) and an Origin Request Policy of Managed-AllViewer, but then CloudFront started ignoring completely that Behavior and processing the next one in line, which happens to be a S3 bucket. Once the request is sent to the S3 bucket, I get a 404 back as there's no such key in there.

I also tried to use the "Legacy Cache settings", but the same problem is happening.

Is it possible at all to have this "proxy" implemented with CloudFront and API GW? If yes, how would I do that?

Thanks

Best Answer

This caught me out too, with both the query string and headers such as Authorization.

However, the docs state that to pass the Authorization header to the origin it must be used as a cache key:

Cache key settings specify the values in viewer requests that CloudFront includes in the cache key. The values can include URL query strings, HTTP headers, and cookies. The values that you include in the cache key are automatically included in requests that CloudFront sends to the origin, known as origin requests.

and

Note: You can't use an origin request policy to forward the Authorization header. The header must be a part of the cache key to prevent the cache from satisfying unauthorized requests. CloudFront returns an HTTP 400 error if you try to create an origin request policy that forwards the Authorization header.

Additionally, note that in relation to the Origin Request Policy Managed-AllViewer, the issue looks to be the forwarding of the Host header to API Gateway; see https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/571#issuecomment-792051286 i.e. we can't use the Managed-AllViewer for API Gateway origins.

See

As part of a CDK cloudfront.Distribution() construct:

const apiCachePolicy = new cloudfront.CachePolicy(this, 'ApiCachePolicy', {
        headerBehavior: cloudfront.CacheHeaderBehavior.allowList('authorization'),
        queryStringBehavior: cloudfront.CacheQueryStringBehavior.all(),
        cookieBehavior: cloudfront.CacheCookieBehavior.none(),
        minTtl: Duration.minutes(0),
        maxTtl: Duration.minutes(1),
        defaultTtl: Duration.minutes(0),
        enableAcceptEncodingGzip: true,
        enableAcceptEncodingBrotli: true,
    });

Related Solutions

How to configure Cloudfront’s ‘Cache Behavior->Path Pattern’ to include query parameters

The Path Pattern unfortunately does not include/support the query part of a URL (See http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.2) - only the path part of it.

From http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesPathPattern :

When CloudFront receives an end-user request, the requested path is compared with path patterns in the order in which cache behaviors are listed in the distribution.

[Emphasis added]

How to setup Route 53 to point to Api Gateway

You have to create a SSL certificate using the Certificate Manager. For an edge endpoint, create it in eu-east-1, for regional and private endpoints, create it in the region you are deploying the API gateway in (or the lambda). Read more here. I will refer to the ARN as CertificateArn

You have to configure a AWS::ApiGateway::DomainName:

"MyDomainName": {
  "Type": "AWS::ApiGateway::DomainName",
  "Properties": {
    "DomainName": {"Ref: "DomainName"},
    "CertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/fb1b9770-a305-495d-aefb-27e5e101ff3"
  }
}

This enables the Domain for the API Gateway. Next, you need to expose the API (i.e. your RestAPI), in a specific deployment stage. In your template, your have no deployment stages. Take a look a AWS::ApiGateway::Stage. A minimal example would look like this:

"Prod": {
            "Type": "AWS::ApiGateway::Stage",
            "Properties": {
                "StageName": "Prod",
                "Description": "Prod Stage",
                "RestApiId": {
                    "Ref": "APIGateway"
                },
                "DeploymentId": {
                    "Ref": "APITDeploymentTest"
                },
}

However, you most likely want some additional configuration in that. I suggest you take a look at the MethodSettings property.

At last, deploy a basepath mapping resource: AWS::ApiGateway::BasePathMapping. I suggest you map the basepath to the stage you created like this:

"ProdDomainBasePath": {
  "Type" : "AWS::ApiGateway::BasePathMapping",
  "Properties" : {
    "DomainName" : {"Ref: "DomainName"},
    "RestApiId" : {"Ref": "APIGateway"},
    "Stage" : "Prod"
  }
}

If you change an AWS::ApiGateway::Stage resource, you have to force an update on the corresponding AWS::ApiGateway::Deployment resource - this usually means renaming the AWS::ApiGateway::Deployment resource, to keep that in mind. Otherwise, it wont be deployed.

That should do it.

Best Answer

Related Solutions

How to configure Cloudfront’s ‘Cache Behavior->Path Pattern’ to include query parameters

How to setup Route 53 to point to Api Gateway

Related Topic