Does anyone know if it is possible to have a Websocket Api Gateway support mTLS authentication? According to the documentation it is not supported (https://aws.amazon.com/blogs/compute/evaluating-access-control-methods-to-secure-amazon-api-gateway-apis/). Does anyone know if there is a feature request for this or there is a workaround? We've debated using a lambda authorizer on the $connect route on the websocket API to authenticate client certificates manually, but it seems like an artificial implementation for mTLS since we're performing the client authentication after the TLS handshake. Not sure if this is our best option or if there is something better. Thanks.
Related
I am trying to add an API Gateway to a client-server system, which communicates through WebSockets.
The Server is an audio recognition engine that sits in a remote machine, and clients are connecting to it through WebSockets ('wss://...'), sending audio files and receiving their text translate representation.
My main goal is to add a free open-source API Gateway in the middle in order to authenticate\authorize\rate limit\etc (Tried Kong\Tyk\krakenD, but they are not free).
After searching the web, I focused on Apache APISIX gateway.
As a test, I managed to connect the APISIX to a client-server which communicates by http/https and it worked fine.
Moreover, I managed to connect the client with the server on regular websocket connection (ws://) and the data transactions were successful, but no matter what I do I cant connect to the secured connection. Are there any special configurations I should edit in the dashboard?
I'm wondering if anyone knows from experience if it's possible to use
the secured WebSockets with Apache APISIX and if yes, how exactly it should be done - because the docs are missing any informative info\examples, or if there are better solutions known to my problem.
The only WebSocket reference in APISIX dashboard -
What you should do is create an SSL object (you can find it in the sidebar on the left side). See https://apisix.apache.org/docs/apisix/admin-api/#ssl to learn the APISIX SSL object.
You can see an example at https://apisix.apache.org/docs/apisix/certificate
The SSL object provides the required TLS Certificate and Private Key so that this key pair can be used in a TLS handshake according to the TLS SNI sent from clients. After that, your client established a secured connection with APISIX, and now you can send the WebSocket traffic securely.
I want to know whether bot connector service(Microsoft botframework) supports Mutual TLS or not? I want to verify the source of the events coming from bot connector service. I am not able to find any documentation which clearly specifies about mTLS support.
All communications between the bot and the Bot Connector service utilize SSL/TLS for authentication. SSL/TLS connections adhere to the x.509v3 certificate protocol for identifying all HTTPS services (see Authentication with the Bot Connector API).
You can read more about the Azure Bot Service's Data Protection protocol by reading this doc, Encrypt sensitive information in transit.
Additionally, What data is encrypted? can provide additional insight.
I have an use case where I have services which require interaction with DynamoDB (Programming env is in golang). But assume these service doesn't have AWS credentials and I have custom AuthN/AuthZ mechanism to validate the services internally and set credentials. So, I want to write a AuthN proxy service which intercepts requests to DynamoDB, check what type of operation (Get/Set/Delete), validate them, set DDB credentials to that request, query dynamodb and send response back to clients. I tried using proxy as mentioned here in DDB documentation, but it is HTTP Connect tunnelling and I couldn't intercept traffic in between as it is HTTPS traffic to DynamoDB. Can someone tell me how I can achieve this using AWS Go sdk library?
Thanks in advance.
I am setting up hubot with a slack adapter for an enterprise and would like to know if the socket connection between Hubot and Slack is secure.
If not, how can it be secured?
Its hard to say in general whether a product would be regards as "secure" for your enterprise. It all depends on the security requirements specific to your business. e.g. a defense contractor might have much higher security requirements than a retailer.
To answer your question I would therefore suggest to research the security specifics of this product and then compare them with the security requirements of your enterprise.
Here is an overview about the security architecture to get you started:
Hubot uses Slack's RTM API which uses WebSockets as main
communication protocol
To start a connection you need to call either the rtm.start or
rtm.connect endpoint, which is secured by HTTPS. Both endpoints require you to
provide authentication via a Oauth 2.0 token.
Those endpoint return a custom URL for your WebSocket session
All WebSocket communication uses the secure WSS protocol, which applies TLS to secure the connection
I have raised a ticket with Slack support team and they confirmed that connection is WSS and uses TLS 1.2 which makes it secure for enterprise. Thanks!
The task is to build SMTP proxy gateway which will send all letters to API for some checks and dependently of API answer will send letter to destination server or will return error message to client.
Please look at this picture
IMAP will be organized in same way, all letters will be sent to API for virus checking etc. and only letters with successfull API response will be received to mailbox.
Want to ask and advice which software will be better to use for this purpose. Dovecot/Postfix? But how to integrate it with AMQP API? Maybe better will be to organize it through nginx proxy? Or python Twisted framework?
Will be grateful for any help.
If you're looking for a COTS software solution, Forum Sentry API Security Gateway software version can act both as an SMTP proxy or an AMQP proxy.
http://www.forumsys.com/forum-sentry-secure-amqp-proxy/
[I work for Forum Systems]