By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How-to create a HTTPS pass-through to verify client-side SSL cert?

0

Our organization operates a web-site for internal employees only (HTTPS), that is accessible world-wide. While the software serving the website has it's own common authentication (login & session cookies), we don't trust it enough to open it up to the public Internet. Currently, we're using a procedure where we white-list IP addresses in an EC2 security group. I know this isn't fool-proof, but at least provides a deterrent. However, it is hard to manage the, often dynamic, set of white-listed IP addresses.

We're thinking that client-side SSL certificates may be a good alternative. We don't need to integrate them for individual user-level authentication into the existing website, but would like to just block HTTPS requests that don't present a client-side SSL cert that we've provided. Probably a single certificate we can distribute to employees to install in their browsers would suffice, though if several can be supported, that would be better.

Can someone recommend a good approach for setting up a 'gateway' through which HTTPS requests can be routed to the final website, such that they'd be blocked if not presenting a given client-side SSL cert? I realize it is likely possible to configure this on the website itself, but I'd prefer if it was possible to do it independently. (and we can also duplicate the mechanism for access to other internal sites that use different web service software).

Thank you.

Topics
Front-End Web & MobileNetworking & Content DeliveryDevOpsAWS Well-Architected Framework
Tags
Front-End Web & MobileNetworking & Content DeliveryDevOpsSecurity
Language
English
DavidJ
asked 8 months ago920 views
2 Answers
0

Using client-side SSL certificates (often called mutual TLS or mTLS) is a solid approach for adding an extra layer of security. AWS offers a few services that can act as a 'gateway' and enforce client-side SSL certificate verification. Here's a step-by-step guide using AWS services:

1. AWS API Gateway

AWS API Gateway can also act as a 'gateway' and offers mutual TLS authentication.

Steps to Set Up:

CA and Client Certificates: Same as the above steps, you need a CA and client certificates.

Setup API Gateway:

  • Create a new Regional API.
  • For each endpoint in your application, create a corresponding endpoint in API Gateway.
  • Configure API Gateway to route the traffic to your application. This could be done using HTTP integrations.

Configure Mutual TLS: In the API Gateway settings, configure mutual TLS and provide your CA certificate.

Deploy API: Deploy your API to a new or existing stage.

Update DNS: Point your domain's DNS settings to the API Gateway's URL.

The same principle applies here: API Gateway will verify the client certificates using the provided CA certificate.

While API Gateway is designed primarily for APIs, you can use it to serve static websites or any other web content. The key consideration is the integration type you choose. If you use HTTP/HTTP_PROXY integration, you can forward the requests to another HTTP backend (like a web server). However, keep in mind:

  • There's a payload size limit on API Gateway (10 MB for requests and responses combined, as of my last update).
  • API Gateway might introduce added latency because it's primarily designed for API-like workloads.
  • Custom domain setups might be a bit more complex since you'd typically use API Gateway's default URL or set up a custom domain through the service.

As for the documentation, it's always a good idea to refer to the AWS official documentation for the most updated and detailed instructions. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html

2. Using AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX

For your HTTPS pass-through requirements with client-side SSL verification, AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX (or another web server) instance or container is also an approach you can consider. This web server would handle the mTLS verification. However, this method might be a bit more involved, as you'd need to set up and maintain the NGINX configuration.

3. Distribution:

Regardless of the method you choose, distributing client certificates to employees might be a challenge. Consider:

  • Creating a guide that shows them how to install the certificate in their browsers.
  • Rotating the certificates periodically for added security.
  • Using a certificate management solution if the scale is large.

This approach ensures that the security measure is independent of the application and can be reused for multiple applications/services as you mentioned.

AWS
Saad
answered 8 months ago
  • DavidJ
    8 months ago

    Thanks for your detailed answer. The ALB option sounds ideal. Looking at the console when creating an ALB and looking through the docs, I can't seem to find information about the "Configure Client Certificate Verification" step. Can you kindly point me to the relevant part of the docs? Regarding the 2nd option using API Gateway - will that work for normal web-sites/pages, or only API requests?

  • Saad
    8 months ago

    I apologize for any confusion. Let me correct myself, AWS Application Load Balancer (ALB) does not support client-side SSL certificate verification (mutual TLS). My mistake for mentioning it as a solution in that context. For your HTTPS pass-through requirements with client-side SSL verification, AWS Network Load Balancer (NLB) with the Target Group pointing to an NGINX (or another web server) instance or container is a more appropriate approach. This web server would handle the mTLS verification. However, this method might be a bit more involved, as you'd need to maintain NGINX configuration.

  • Saad
    8 months ago

    For the API Gateway: Yes, while API Gateway is designed primarily for APIs, you can use it to serve static websites or any other web content. The key consideration is the integration type you choose. If you use HTTP/HTTP_PROXY integration, you can forward the requests to another HTTP backend (like a web server). Given that the context of the ALB for mTLS was incorrect, for setting up mutual TLS on API Gateway, you can refer to the official AWS documentation on mutual TLS authentication for API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html

  • DavidJ
    8 months ago

    Thanks for the clarification and edit to the answer. ChatGPT4 offered the same incorrect advice as your original answer. 2 is not an option for us as we don't want to hack the existing (containerized) website service. If API gateway can serve regular web traffic (with HTTP/S, including AJAX requests and the like) then that might work.

0

This might be useful, using mTLS feature of API Gateway, Propagating valid mTLS client certificate identity to downstream services using Amazon API Gateway. You could also implement your IP allow list in a resource level policy on the API.

profile pictureAWS
EXPERT
kentrad
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content