x-amazon-apigateway-integration.tlsConfig object - Amazon API Gateway

x-amazon-apigateway-integration.tlsConfig object

Specifies the TLS configuration for an integration.

Property name Type Description
insecureSkipVerification Boolean

Supported only for REST APIs. Specifies whether or not API Gateway skips verification that the certificate for an integration endpoint is issued by a supported certificate authority. This isn’t recommended, but it enables you to use certificates that are signed by private certificate authorities, or certificates that are self-signed. If enabled, API Gateway still performs basic certificate validation, which includes checking the certificate's expiration date, hostname, and presence of a root certificate authority. The root certificate belonging to the private authority must satisfy the following constraints:

  • x509 extension keyUsage must have keyCertSign.

  • x509 extension basicConstraints must have CA:TRUE.

Supported only for HTTP and HTTP_PROXY integrations.

Warning

Enabling insecureSkipVerification isn't recommended, especially for integrations with public HTTPS endpoints. If you enable insecureSkipVerification, you increase the risk of man-in-the-middle attacks.

serverNameToVerify string

Supported only for HTTP API private integrations. If you specify a server name, API Gateway uses it to verify the hostname on the integration's certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting.

x-amazon-apigateway-integration.tlsConfig examples

The following OpenAPI 3.0 example enables insecureSkipVerification for a REST API HTTP proxy integration.

"x-amazon-apigateway-integration": { "uri": "http://petstore-demo-endpoint.execute-api.com/petstore/pets", "responses": { default": { "statusCode": "200" } }, "passthroughBehavior": "when_no_match", "httpMethod": "ANY", "tlsConfig" : { "insecureSkipVerification" : true } "type": "http_proxy", }

The following OpenAPI 3.0 example specifies a serverNameToVerify for an HTTP API private integration.

"x-amazon-apigateway-integration" : { "payloadFormatVersion" : "1.0", "connectionId" : "abc123", "type" : "http_proxy", "httpMethod" : "ANY", "uri" : "arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/0467ef3c8400ae65", "connectionType" : "VPC_LINK", "tlsConfig" : { "serverNameToVerify" : "example.com" } }