Terraform API网关V2带有CloudFront 301/403响应,具体取决于viewer_protocol_policy
我可以看到带有301/403的乐趣和游戏,但是没有解决方案,我已经检查了日志,并且该请求没有击中API网关,根本没有条目。我正在将API网关从另一个域移动,因此所有域都可以正常工作。卷曲到终点导致301永久移动。前端位于 www.xxxx.com ,我希望分配API网关xxxxx.com/api var var .site_domain = xxxx.com
什么确定403/301:viewer_protocol_policy =“ https-inlly” = 403,viewer_protocol_policy =“ redirect-to-https” = 301 = 301
使用AWS生成的网关url,终点为设计,
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>CloudFront</center>
</body>
</html>
resource "aws_apigatewayv2_domain_name" "XXXXXX" {
domain_name = "api.${var.site_domain}"
domain_name_configuration {
certificate_arn = aws_acm_certificate.cert.arn
endpoint_type = "REGIONAL"
security_policy = "TLS_1_2"
}
}
resource "aws_cloudfront_distribution" "dist" {
origin {
domain_name = aws_s3_bucket.site.website_endpoint
origin_id = aws_s3_bucket.site.id
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
origin {
domain_name = replace(aws_apigatewayv2_stage.lambda.invoke_url, "/^https?://([^/]*).*/", "$1")
origin_id = "apigw"
origin_path = "/serverless_lambda_stage"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
enabled = true
default_root_object = "index.html"
aliases = [
var.site_domain, "www.${var.site_domain}"
]
restrictions {
geo_restriction {
restriction_type = "none"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = aws_s3_bucket.site.id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 5 * 60
max_ttl = 60 * 60
}
ordered_cache_behavior {
path_pattern = "/api/*"
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "apigw"
default_ttl = 0
min_ttl = 0
max_ttl = 0
forwarded_values {
query_string = true
headers = ["Origin"]
cookies {
forward = "all"
}
}
viewer_protocol_policy = "https-only"
}
resource "aws_apigatewayv2_api" "lambda" {
name = "serverless_lambda_gw"
protocol_type = "HTTP"
cors_configuration {
allow_origins = ["https://www.XXXX.com",
"https://XXXX.com",
# "http://localhost:3000"
]
allow_methods = ["GET", "POST", "OPTIONS"]
allow_headers = ["content-type"]
max_age = 300
}
}
resource "aws_route53_zone" "main" {
name = var.site_domain
}
resource "aws_route53_zone" "cdn" {
name = "cdn.${var.site_domain}"
}
resource "aws_route53_zone" "api_main" {
name = "api.${var.site_domain}"
}
resource "aws_route53_record" "cdn-ns" {
zone_id = aws_route53_zone.main.zone_id
name = "cdn.${var.site_domain}"
type = "NS"
ttl = "30"
records = aws_route53_zone.cdn.name_servers
}
resource "aws_route53_record" "api-ns" {
zone_id = aws_route53_zone.main.zone_id
name = "api.${var.site_domain}"
type = "NS"
ttl = "30"
records = aws_route53_zone.api_main.name_servers
}
resource "aws_route53_record" "cert_validations" {
allow_overwrite = true
count = length(aws_acm_certificate.cert.domain_validation_options)
zone_id = aws_route53_zone.main.zone_id
name = element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_name, count.index)
type = element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_type, count.index)
records = [element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_value, count.index)]
ttl = 60
}
resource "aws_route53_record" "api_picturethis" {
name = aws_apigatewayv2_domain_name.api_picturethis.domain_name
type = "A"
zone_id = aws_route53_zone.api_main.zone_id
alias {
name = aws_apigatewayv2_domain_name.api_picturethis.domain_name_configuration[0].target_domain_name
zone_id = aws_apigatewayv2_domain_name.api_picturethis.domain_name_configuration[0].hosted_zone_id
evaluate_target_health = false
}
}
I can see loads of fun and games with 301/403 but no solutions, I have checked the logs and the request is not hitting the api gateway, no entries at all. I am moving the api gateway from another domain so its all proven to work. Curl to the end point results in 301 permanent move. The frontend is at www.xxxx.com and I want the api gateway to be assigned xxxx.com/api var.site_domain = xxxx.com
What determines 403/301: viewer_protocol_policy = "https-only" = 403, viewer_protocol_policy = "redirect-to-https" = 301
Using the AWS generated gateway url, the end points respond as designed
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>CloudFront</center>
</body>
</html>
resource "aws_apigatewayv2_domain_name" "XXXXXX" {
domain_name = "api.${var.site_domain}"
domain_name_configuration {
certificate_arn = aws_acm_certificate.cert.arn
endpoint_type = "REGIONAL"
security_policy = "TLS_1_2"
}
}
resource "aws_cloudfront_distribution" "dist" {
origin {
domain_name = aws_s3_bucket.site.website_endpoint
origin_id = aws_s3_bucket.site.id
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
origin {
domain_name = replace(aws_apigatewayv2_stage.lambda.invoke_url, "/^https?://([^/]*).*/", "$1")
origin_id = "apigw"
origin_path = "/serverless_lambda_stage"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
enabled = true
default_root_object = "index.html"
aliases = [
var.site_domain, "www.${var.site_domain}"
]
restrictions {
geo_restriction {
restriction_type = "none"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = aws_s3_bucket.site.id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 5 * 60
max_ttl = 60 * 60
}
ordered_cache_behavior {
path_pattern = "/api/*"
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "apigw"
default_ttl = 0
min_ttl = 0
max_ttl = 0
forwarded_values {
query_string = true
headers = ["Origin"]
cookies {
forward = "all"
}
}
viewer_protocol_policy = "https-only"
}
resource "aws_apigatewayv2_api" "lambda" {
name = "serverless_lambda_gw"
protocol_type = "HTTP"
cors_configuration {
allow_origins = ["https://www.XXXX.com",
"https://XXXX.com",
# "http://localhost:3000"
]
allow_methods = ["GET", "POST", "OPTIONS"]
allow_headers = ["content-type"]
max_age = 300
}
}
resource "aws_route53_zone" "main" {
name = var.site_domain
}
resource "aws_route53_zone" "cdn" {
name = "cdn.${var.site_domain}"
}
resource "aws_route53_zone" "api_main" {
name = "api.${var.site_domain}"
}
resource "aws_route53_record" "cdn-ns" {
zone_id = aws_route53_zone.main.zone_id
name = "cdn.${var.site_domain}"
type = "NS"
ttl = "30"
records = aws_route53_zone.cdn.name_servers
}
resource "aws_route53_record" "api-ns" {
zone_id = aws_route53_zone.main.zone_id
name = "api.${var.site_domain}"
type = "NS"
ttl = "30"
records = aws_route53_zone.api_main.name_servers
}
resource "aws_route53_record" "cert_validations" {
allow_overwrite = true
count = length(aws_acm_certificate.cert.domain_validation_options)
zone_id = aws_route53_zone.main.zone_id
name = element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_name, count.index)
type = element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_type, count.index)
records = [element(aws_acm_certificate.cert.domain_validation_options.*.resource_record_value, count.index)]
ttl = 60
}
resource "aws_route53_record" "api_picturethis" {
name = aws_apigatewayv2_domain_name.api_picturethis.domain_name
type = "A"
zone_id = aws_route53_zone.api_main.zone_id
alias {
name = aws_apigatewayv2_domain_name.api_picturethis.domain_name_configuration[0].target_domain_name
zone_id = aws_apigatewayv2_domain_name.api_picturethis.domain_name_configuration[0].hosted_zone_id
evaluate_target_health = false
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论