0

This is more of a technical question than anything code related. I have an expressjs app running on api-gateway using aws-serverless-express wwhich allows you to port an expressjs app with minimal changes on api-gateway. But because APIG generates a url for you for each deployment of the api, with an api-id in it, this is not client friendly. So I set-up a cloudfront distribution pointing to APIG's url.

However when I run the app, the url displayed in the browser is not the one generated by cloudfront (although I use that url to go to the app) but the one APIG created.

I know there is an option within APIG to set a custom domain name, and that, after doing some research, APIG sets up a Cloudfront Distribution in the background, but because I was not the one setting up the DNS service and do not have permissions to change these settings for this specific role/region on aws, was wondering if the problem lies in the fact that the custom url was not set-up through APIG's options?

hyprstack
  • 4,043
  • 6
  • 46
  • 89
  • Have you tried setting up a CNAME record in your DNS pointing to the API gateway's url? – barudo Nov 21 '16 at 11:34
  • Yeap, currently that is what is set-up. – hyprstack Nov 21 '16 at 11:35
  • hmmm... ok so you have no access to your DNS...tsk tsk.... – barudo Nov 21 '16 at 11:37
  • nope. only read permissions. I am trying to figure out if the reason the url being displayed has to do with the fact that the DNS was set up "seperately" from APIG as opposed to following this http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html – hyprstack Nov 21 '16 at 12:01

3 Answers3

3

If you enter the correct URL into a browsers address bar and press ENTER, then this page is displayed. The URL in the browsers address bar may change if the server sends a redirect status code (301, 302, 307 etc.).

To debug this, open the Web inspector in your browser, select the Network tab, and follow the HTTP requests. If you see a redirect status, look into the headers to find out which system sent it.

EDIT: API Gateway is sending a 301 to redirect to HTTPS if it is accessed by CloudFront via HTTP. This seems to be the problem here. As pointed out in the other answer, forcing CloudFront to access API Gateway via HTTPS-only fixes that problem.

Digitalkapitaen
  • 2,353
  • 13
  • 17
  • If it is doing a redirect, it is doing it behind the scenes and is something I do not want to alter. Indeed there is a redirect status (301) when the request is first sent to cloudfront and has a Location header set to the apigateway url. Looking at the chrome://net-internals tools, especially the DNS tab, I am shown a DNS service for my cloudfront url and one for the apigateway url. Is this suggesting that I have a DNS service calling another DNS service? – hyprstack Nov 21 '16 at 15:53
  • If you have a 301 then DNS is not your problem. DNS is like a phonebook: if you know the name (like www.example.com), your browser uses DNS to look up the IP number of that service. The browser then connects to ("calls") that number. And a 301 is basically the server ("person") on the other end telling you to call somebody else. So if your initial connect goes to to CloudFront, then you need to trace from there who is sending the 301. As CloudFront and the API Gateway do not regularly send 301s to other services, your express app is a good candidate to look at.(Disable the app to prove that.) – Digitalkapitaen Nov 22 '16 at 08:07
  • thanks for taking the time to post an explanation and possible solution. However it was the DNS configuration that was the issue as explained in my answer below. – hyprstack Nov 22 '16 at 10:53
3

Found the correct answer here in another SO question!

Essentially had to change a few settings in cloudfront.

Checked the "Viewer Protocol Policy" on my CloudFront distribution was set to either "Redirect HTTP to HTTPS" or "HTTPS Only" and set "Origin Protocol Policy" to "HTTPS Only".

That seemed to fix the issue for me.

Community
  • 1
  • 1
hyprstack
  • 4,043
  • 6
  • 46
  • 89
0

I'd advise not to set up a CF distribution pointing at your API Gateway endpoint. API Gateway already includes a CF distribution. If you already have a domain name and a cert, you can easily import that into API Gateway directly using the 'Custom Domain Name' feature: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

jackko
  • 6,998
  • 26
  • 38
  • 1
    The reason people like putting the cloudfront ahead of the apigateway is that apigateway has no support for certificate manager, where as cloudfront does. One less thing to manage. It also allows you to have your static content and api (example.com/api) in the same url, and not have to deal with CORS. That said, this only works for public websites that aren't using IAM authentication. – Atif Feb 07 '17 at 14:40