Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudfront: Failed to forward Authorization header from cloudfront to API Gateway #13408

Closed
apoorvmote opened this issue Mar 5, 2021 · 10 comments · Fixed by #13410
Closed

cloudfront: Failed to forward Authorization header from cloudfront to API Gateway #13408

apoorvmote opened this issue Mar 5, 2021 · 10 comments · Fixed by #13410
Assignees
@njlynch
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront docs/inline Related to inline documentation of the API Reference guidance Question that needs advice or information.

Comments

@apoorvmote
Copy link

I am using distribution HTTP API with cloudfront. And I want to pass Authorization header from cloudfront to HTTP API lambda authorizer. And I am not able to whitelist any header from cloudfront.

Reproduction Steps

In brand new CDK Projest just create the following policy

    new OriginRequestPolicy(this, 'testOriginPolicy', {
      cookieBehavior: OriginRequestCookieBehavior.all(),
      headerBehavior: OriginRequestHeaderBehavior.allowList('Authorization'),
      queryStringBehavior: OriginRequestQueryStringBehavior.all()
    })

What did you expect to happen?

I expcted to successfully deploy the origin policy. I haven't even attached to cloudfront distribution yet.

What actually happened?

The deploy fails with following error

Invalid request provided: AWS::CloudFront::OriginRequestPolicy
The following resource(s) failed to create: [testOriginPolicyBBC7F32C].

Environment

  • CDK CLI Version : 1.91.0
  • Framework Version:
  • Node.js Version: v14.16.0
  • OS : Ubuntu 20.04 on WSL2
  • Language (Version): Typescript ~3.9.7

Other

This is 🐛 Bug Report
@apoorvmote apoorvmote added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 5, 2021
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Mar 5, 2021
@apoorvmote apoorvmote changed the title cloudfront: short issue description cloudfront: Failed to forward Authorization header from cloudfront to API Gateway Mar 5, 2021
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Mar 5, 2021
@robertd
Copy link
Contributor

robertd commented Mar 5, 2021

@apoorvmote You can't pass Authorization header behavior when creating OriginRequestPolicy. I'd suggest using CachePolicy instead if you need to pass auth header (see links below).

image

See these references for more info:

@robertd
Copy link
Contributor

robertd commented Mar 5, 2021
edited
Loading

@njlynch I couldn't really find anywhere in docs that Authorization header is not allowed when creating OriginRequestPolicy. Should we check header OriginRequestHeaderBehavior values just in case so users don't find this out the hard way during deployment?... just to be on the safe side

@robertd
Copy link
Contributor

robertd commented Mar 5, 2021
edited
Loading

@njlynch Accept-Encoding is also not allowed...
image

And I found out there is limitation on how many headers you can whitelist (total of 10).

image

AFAIK... none of this is captured anywhere in OriginRequestPolicy docs. Should we check all this when creating OriginRequestPolicy resource for better user experience?

@robertd robertd mentioned this issue Mar 5, 2021
Merged
@apoorvmote
Copy link
Author

@robertd Thanks very much for quick reply. I though I had to wait many days before anyone will take a look at it.

I would like help setting Cache Policy because its for API endpoint I have been using static CachePolicy.CACHING_DISABLED

Now to allow Headers I need to recreate the CACHING_DISABLED and add whitelist for header.

I was working on workaround. Instead of passing token through header I was going to pass it through body.

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigatewayv2-authorizers.UserPoolAuthorizerProps.html#identitysourcespan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan

Changing identitySource from $request.header.Authorization to $request.body.Authorization

Is there any security concern by passing token via body? or I MUST pass token via header?

@njlynch njlynch added guidance Question that needs advice or information. and removed @aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 5, 2021
@njlynch njlynch added the docs/inline Related to inline documentation of the API Reference label Mar 5, 2021
@njlynch
Copy link
Contributor

njlynch commented Mar 5, 2021

I would like help setting Cache Policy because its for API endpoint I have been using static CachePolicy.CACHING_DISABLED. Now to allow Headers I need to recreate the CACHING_DISABLED and add whitelist for header.

This is actually reasonably straightforward. Simply create a new CachePolicy with 0s for all TTLs, and add the header policy. Then use this new cache policy with your distribution.

const cachePolicy = new cloudfront.CachePolicy(stack, 'CachingDisabledButWithAuth', {
  defaultTtl: Duration.minutes(0),
  minTtl: Duration.minutes(0),
  maxTtl: Duration.minutes(0),
  headerBehavior: cloudfront.CacheHeaderBehavior.allowList('Authorization'),
});

@mergify mergify bot closed this as completed in #13410 Mar 5, 2021
mergify bot pushed a commit that referenced this issue Mar 5, 2021
@robertd
chore(cloudfront): check size of Origin Request headers and prevent f…
42f3740 
…orbidden values (#13410)

This PR checks the size of Origin Request headers and prevents forbidden values (`Authorization` or `Accept-Encoding`).

Closes #13408


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Mar 5, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@apoorvmote apoorvmote mentioned this issue Mar 6, 2021
Closed
cornerwings pushed a commit to cornerwings/aws-cdk that referenced this issue Mar 8, 2021
@robertd @cornerwings
chore(cloudfront): check size of Origin Request headers and prevent f…
b28d935 
…orbidden values (aws#13410)

This PR checks the size of Origin Request headers and prevents forbidden values (`Authorization` or `Accept-Encoding`).

Closes aws#13408


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@bblanke
Copy link

bblanke commented Mar 29, 2022
edited
Loading

Quick addition to @njlynch 's response. I had to set at least 1 of the TTL's to something in order to create the cache policy, so I set max TTL to 1 second:

const cachePolicy = new cloudfront.CachePolicy(stack, 'CachingDisabledButWithAuth', {
  defaultTtl: Duration.minutes(0),
  minTtl: Duration.minutes(0),
  maxTtl: Duration.minutes(1),
  headerBehavior: cloudfront.CacheHeaderBehavior.allowList('Authorization'),
});

@ischia-exigenter
Copy link

Quick addition to @njlynch 's response. I had to set at least 1 of the TTL's to something in order to create the cache policy, so I set max TTL to 1 second:

const cachePolicy = new cloudfront.CachePolicy(stack, 'CachingDisabledButWithAuth', {
  defaultTtl: Duration.minutes(0),
  minTtl: Duration.minutes(0),
  maxTtl: Duration.minutes(1),
  headerBehavior: cloudfront.CacheHeaderBehavior.allowList('Authorization'),
});

Seeing the same issue, and it happens if you try to create a stand-alone cache policy in the AWS Console. You get the annoying error: "The parameter HeaderBehavior is invalid for policy with caching disabled."

However, if you manually modify caching on a CloudFront distribution, somehow AWS Console allows it. So "yes, we want caching disabled, and YES we want to pass an API Token, or other authorization header to the API Gateway!!"

@daverickdunn
Copy link

So I've spotted a nasty issue using @bblanke's solution. If you batch requests with the same path (different headers and/or different query params), CF/APIGW will (not always, but almost always, probably due to load balancing) give them all the same requestId (see, x-amzn-requestid response header). If one of the requests fail, they all fail, and they all continue to fail on retry, so this appears to be related to the caching mechanism. I'm fairly sure this is a bug on AWS's end and it makes this unusable for me. I suspect the effects of this could be bigger than the scenario I'm experiencing, so be careful using this solution.

@nidhin-raj
Copy link

If the origin is API Gateway, then it is recommended to use

cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
originRequestPolicy: cloudfront.OriginRequestPolicy.fromOriginRequestPolicyId(this, 'AllViewerExceptHostHeader', 'b689b0a8-53d0-40ab-baf2-68738e2966ac')

AllViewerExceptHostHeader comes from https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html, cdk-lib hasn't included this policy yet. hopefully soon.

@WillSmithTE WillSmithTE mentioned this issue Jan 26, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@njlynch njlynch

Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront docs/inline Related to inline documentation of the API Reference guidance Question that needs advice or information.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(cloudfront): check size of Origin Request headers and prevent forbidden values robertd/aws-cdk
8 participants
@robertd @njlynch @bblanke @daverickdunn @apoorvmote @nija-at @nidhin-raj @ischia-exigenter