Is there a limitation on Neptune HTTP API endpoint compatibility when using a proxy and IAM Auth?
Hi,
Got a weird one today. I'm working on bringing full compatibility for the use of proxies fronting Amazon Neptune services.
In my setup I have an Amazon Neptune cluster and an nginx proxy. The proxy runs on an EC2 container and provides connectivity to Neptune over a public domain.
Additionally, my Neptune DB has IAM authentication enabled.
The issue I'm encountering is the following:
When attempting to make API calls to the Neptune instance through the proxy, (e.g. status/explain/profile APIs), the calls are getting consistently rejected with a 403 Forbidden despite using the correct credentials. (when accessing the Neptune DB via SSH tunnel and using the same credentials, the requests are authorised).
For WebSocket auth, this proxy setup appears to work (using the NeptuneNettyHttpSigV4Signer utility).
For HTTP auth, it fails (using the NeptuneApacheHttpSigV4Signer).
To allow this setup to work correctly using WSS, the handshake interceptor takes an extra step to replace the Host header in the request with the original Neptune DB endpoint (not doing this causes the Neptune API to respond with a 400 error).
I've implemented the same mechanism for making HTTP API calls to Neptune using the Apache HTTP Client and unlike the Netty implementation this causes the API call to fail with a 403.
I'm struggling to get the signature generated on my end to match the format expected server side on Neptune, using these utility classes. Is there any recommended way to sign REST API calls to Neptune endpoints made behind a proxy?
Got a weird one today. I'm working on bringing full compatibility for the use of proxies fronting Amazon Neptune services.
In my setup I have an Amazon Neptune cluster and an nginx proxy. The proxy runs on an EC2 container and provides connectivity to Neptune over a public domain.
Additionally, my Neptune DB has IAM authentication enabled.
The issue I'm encountering is the following:
When attempting to make API calls to the Neptune instance through the proxy, (e.g. status/explain/profile APIs), the calls are getting consistently rejected with a 403 Forbidden despite using the correct credentials. (when accessing the Neptune DB via SSH tunnel and using the same credentials, the requests are authorised).
For WebSocket auth, this proxy setup appears to work (using the NeptuneNettyHttpSigV4Signer utility).
For HTTP auth, it fails (using the NeptuneApacheHttpSigV4Signer).
To allow this setup to work correctly using WSS, the handshake interceptor takes an extra step to replace the Host header in the request with the original Neptune DB endpoint (not doing this causes the Neptune API to respond with a 400 error).
I've implemented the same mechanism for making HTTP API calls to Neptune using the Apache HTTP Client and unlike the Netty implementation this causes the API call to fail with a 403.
I'm struggling to get the signature generated on my end to match the format expected server side on Neptune, using these utility classes. Is there any recommended way to sign REST API calls to Neptune endpoints made behind a proxy?
