Background
When deploying our REST API to API Gateway, we found an issue where there was no HTTP_X_FORWARDED_FOR header; this was a security concern for our security team as there was no way for us to get the customers IP address.
We are utilising the x-amazon-apigateway-integration OpenAPI extension to add additional data to the API documentation provided to end-users of our API.
Example
Below is an example of a very simple Open API 3.0 endpoint where we use the stage variable URL to access our internal backend.
/products:
summary: get all products
get:
summary: Retrieve all products
responses:
'200':
description: No issues
content:
application/json:
schema:
$ref: '#/components/schemas/products'
x-amazon-apigateway-integration:
type: http
httpMethod: GET
uri: https://${stageVariables.url}/products
requestParameters:
default:
statusCode: 200
Solution
When deploying the REST API, we need to pass the x-forwarded-for header to the http endpoint like below.
/products:
summary: get all products
get:
summary: Retrieve all products
responses:
'200':
description: No issues
content:
application/json:
schema:
$ref: '#/components/schemas/products'
x-amazon-apigateway-integration:
type: http
httpMethod: GET
uri: https://${stageVariables.url}/products
requestParameters:
integration.request.header.x-forwarded-for: method.request.header.x-forwarded-for
default:
statusCode: 200
parameters:
- name: x-forwarded-for
in: header
required: true
schema:
type: string
Next steps
Our x-amazon-API gateway-integration documentation kept growing, so we updated our automated deployment script to add most of these generic items - which helps us keep the documentation clean and without any specific amazon documentation.
I have added an example of our current product endpoint specification.
/products:
summary: get all products
get:
summary: Retrieve all products
responses:
'200':
description: No issues
content:
application/json:
schema:
$ref: '#/components/schemas/products'
Top comments (0)