How to install SSL certificate for API endpoint and handle CORS

[wise-east]

I've been able to get my API deployed successfully using cortex (Thank you very much!) and I was amazed at how easy it was.

Now that I actually want to use this with AJAX calls, I need to be able to handle CORS and get SSL certificates for the API endpoint. Given that the API's endpoint seems somewhat arbitrary (sorry if I didn't read through available information about API endpoints) and that it is different from the EC2 instance that the API is running on, I am not sure how to install a SSL certificate for my API server. If I provide the url for the API on Amazon Certificate Manager, it says that it's not a valid domain. I know that this part of the docs says that all APIs are accessible through HTTPS, and surely does work with the -k option using curl, it will say that the certificate is invalid on a web app's AJAX call.

I have also already asked a question on how to enable CORS for my API on #541, but I'm asking how to configure it here again for anyone having to deal with these set of issues in taking their deployment into the final step of production.

FYI I'm using spot instances to serve my API.

[deliahu]

@wise-east Thanks for reaching out! We have plans (#326) to leverage AWS API Gateway to support custom certificates, as well as just using AWS's out-of-the-box certificate (that will make things even easier).

In the mean time, the easiest way to get https working without the -k flag is to manually add API Gateway in front of the Cortex APIs. We'll be adding this to the docs soon, but in the mean time, you can see the instructions here.

The CORS issue has been fixed in #942, and will be included in the 0.15.1 release we are planning for today. We have not yet tested API Gateway with CORS together, but will do so as part of our release testing process.

[wise-east]

Great, thank you! I'm excited for the updates.

[deliahu]

@wise-east I just wanted to follow up and let you know that the API Gateway guide has now been promoted to our docs: https://www.cortex.dev/v/master/guides/api-gateway

[wise-east]

Thank you @deliahu

I was able to bypass both the SSL certificates and CORS issue by following the guide and I believe it will really help future cortex users. 👍

[deliahu]

Excellent, I'm glad to hear it!

[ps-account]

This page doesn't exist: https://www.cortex.dev/v/master/guides/api-gateway

Any info on how to deploy SSL-enabled cortex API in general (also locally?)

[vishalbollu]

@rdwrt https://www.cortex.dev/v/master/guides/api-gateway has been removed because the functionality for creating API Gateway for Cortex APIs has been automated as of Cortex v0.18. APIs will automatically be created with HTTPS (provided by AWS Rest API Gateway).

The API Gateway setup documentation can be found in docs v0.17: https://docs.cortex.dev/v/0.17/guides/api-gateway

SSL is not supported for Cortex local at the moment. Could you explain your use case for SSL enabled Cortex local?

[ps-account]

SSL is not supported for Cortex local at te moment. Could you explain your use case for SSL enabled Cortex local?

Hi Vishal, the use case is that also local networking traffic should go over https, also outside of AWS integration :)

I guess TLS via nginx reverse proxy can be applied?

[vishalbollu]

Got it. TLS via an nginx reverse proxy would work for sure. Setting up nginx in front of Cortex local has other benefits like allowing access to multiple Cortex APIs via a single endpoint.

[vishalbollu]

Hi Vishal, the use case is that also local networking traffic should go over https, also outside of AWS integration :)

I may not have interpreted this correctly, any particular reason for not deploying APIs using a Cortex cluster in the AWS environment? A lot of the common networking and TLS are provided out of the box when you use the cluster.

[ps-account]

Hi Vishal, not everyone uses AWS! There are valid reasons for that (existing contracts, company policy, etc.)

[vishalbollu]

I 100% agree that not everyone uses AWS and it shouldn't be the case :).

Perhaps I should rephrase my thoughts. I was wondering in what scenarios would prefer Cortex local over Cortex cluster? Is it just because Cortex cluster isn't supported for other cloud providers/on-prem? Is it because Cortex local is easier to plug into existing infrastructure? How is Cortex local being used in existing infrastructure? This information would help us improve Cortex local by folding in more out of the box functionality and gives insights into how we can make Cortex cluster more flexible.

It sounds like a part of this conversation may overlap with this #1092 thread.