確認したい内容
- API Gateway のカスタムドメインでアクセスした場合の挙動について確認する。
- 挙動としては、mainのドメインとsubのドメインを2つを準備する、後述する4つのパターンで動作を確認する。
- なお、ACMにインポートする自己証明書については、以下のとおり作成する。
条件
- Route53のレコード名 = カスタムドメイン名
作成する Route 53 レコードの名前と一致するカスタムドメイン名 (api.example.com など) を含む API Gateway API。
- カスタムドメイン名 = カスタムドメイン名の証明書
特定のリージョンの API のカスタムドメイン名を作成すると、API Gateway は API のリージョン別ドメイン名を作成します。カスタムドメイン名をリージョン別ドメイン名にマッピングするように、DNS レコードを設定する必要があります。カスタムドメイン名の証明書を提供する必要もあります。
パターン
No | カスタムドメイン | ACM | Route53 | 可否 |
---|---|---|---|---|
1 | sub.XXX.com | *.XXX.com ACMから取得 |
sub.XXX.com A sub.XXX.comのAPI Gatewayドメイン | ○ |
2 | main.YYY.tk | *.YYY.tk インポート |
main.YYY.tk A main.YYY.tkのAPI Gatewayドメイン | ○ |
3 | sub.XXX.com | *.XXX.com ACMから取得 |
main.YYY.tk CNAME sub.XXX.com sub.XXX.com A sub.XXX.comのAPI Gatewayドメイン |
× main.YYY.tk ○ sub.XXX.com |
4 | main.YYY.tk | *.YYY.tk | main.YYY.tk CNAME sub.XXX.com sub.XXX.com A main.YYY.tk の APIGatewayドメイン名 |
○ main.YYY.tk × sub.XXX.com |
1
カスタムドメイン名 |
---|
sub.XXX.com |
ドメイン | タイプ |
---|---|
*.XXX.com | Amazonにより発行済み |
レコード名 | タイプ | ルーティング先 |
---|---|---|
sub.XXX.com | A | APIGatewayドメイン名 |
sub_○
$ curl -v https://sub.XXX.com/
* Trying 52.194.101.52...
* TCP_NODELAY set
* Connected to sub.X.com (52.194.101.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.XXX.com
* start date: Feb 3 00:00:00 2022 GMT
* expire date: Mar 4 23:59:59 2023 GMT
* subjectAltName: host "sub.XXX.com" matched cert's "*.XXX.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8f1980a200)
> GET / HTTP/2
> Host: sub.XXX.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Sat, 05 Feb 2022 07:27:27 GMT
< content-type: application/octet-stream
< content-length: 20
< server: awselb/2.0
< apigw-requestid: NDsC0iovtjMEPdQ=
<
* Connection #0 to host sub.XXX.com left intact
"Hello from Lambda!"
↓は相互TLS認証を用いてアクセスした場合。
sub(相互TLS認証)_○
$ curl -v -i --key my_client.key --cert my_client.pem https://sub.XXX.com/
* Trying 54.248.25.239:443...
* Connected to sub.XXX.com (54.248.25.239) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.XXX.com
* start date: Feb 3 00:00:00 2022 GMT
* expire date: Mar 4 23:59:59 2023 GMT
* subjectAltName: host "sub.XXX.com" matched cert's "*.XXX.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x162d720)
> GET / HTTP/2
> Host: sub.XXX.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: awselb/2.0
server: awselb/2.0
< date: Sat, 05 Feb 2022 17:07:49 GMT
date: Sat, 05 Feb 2022 17:07:49 GMT
< content-type: application/octet-stream
content-type: application/octet-stream
< content-length: 20
content-length: 20
< apigw-requestid: NFBEEhtbNjMEP-g=
apigw-requestid: NFBEEhtbNjMEP-g=
<
* Connection #0 to host sub.XXX.com left intact
"Hello from Lambda!"
2
カスタムドメイン名 |
---|
main.YYY.tk |
ドメイン | タイプ |
---|---|
*.maroreokun.tk | インポート済み |
レコード名 | タイプ | ルーティング先 |
---|---|---|
main.YYY.tk | A | APIGatewayドメイン名 |
main_○
curl -v https://main.YYY.tk --insecure
* Rebuilt URL to: https://main.YYY.tk/
* Trying 54.199.252.206...
* TCP_NODELAY set
* Connected to main.YYY.tk (54.199.252.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=JP; ST=Osaka; O=mycorp.; CN=*.YYY.tk
* start date: Feb 3 07:13:51 2022 GMT
* expire date: Feb 4 07:13:51 2023 GMT
* issuer: C=JP; ST=Osaka; O=mycorp.; CN=testCN
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faac600a200)
> GET / HTTP/2
> Host: main.YYY.tk
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Sat, 05 Feb 2022 07:37:14 GMT
< content-type: application/octet-stream
< content-length: 20
< server: awselb/2.0
< apigw-requestid: NDteriTDNjMENOg=
<
* Connection #0 to host main.YYY.tk left intact
"Hello from Lambda!"
main(相互TLS認証)_○
$ curl -v -i --key my_client.key --cert my_client.pem https://main.YYY.tk/ --insecure
* Trying 18.180.7.23:443...
* Connected to main.YYY.tk (18.180.7.23) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=JP; ST=Osaka; O=mycorp.; CN=*.YYY.tk
* start date: Feb 3 07:13:51 2022 GMT
* expire date: Feb 4 07:13:51 2023 GMT
* issuer: C=JP; ST=Osaka; O=mycorp.; CN=testCN
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801570)
> GET / HTTP/2
> Host: main.YYY.tk
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: awselb/2.0
server: awselb/2.0
< date: Sat, 05 Feb 2022 17:06:04 GMT
date: Sat, 05 Feb 2022 17:06:04 GMT
< content-type: application/octet-stream
content-type: application/octet-stream
< content-length: 20
content-length: 20
< apigw-requestid: NFAzhhv6NjMEMeg=
apigw-requestid: NFAzhhv6NjMEMeg=
<
* Connection #0 to host main.YYY.tk left intact
"Hello from Lambda!"
3
カスタムドメイン名 |
---|
sub.XXX.com |
ドメイン | タイプ |
---|---|
*.XXX.com | Amazonにより発行済み |
レコード名 | タイプ | ルーティング先 |
---|---|---|
main.YYY.tk | CNAME | sub.XXX.com |
sub.XXX.com | A | sub.XXX.com の APIGatewayドメイン名 |
sub_○
$ curl -v https://sub.XXX.com/
* Trying 13.231.62.125...
* TCP_NODELAY set
* Connected to sub.XXX.com (13.231.62.125) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.XXX.com
* start date: Feb 3 00:00:00 2022 GMT
* expire date: Mar 4 23:59:59 2023 GMT
* subjectAltName: host "sub.XXX.com" matched cert's "*.XXX.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdbb700a200)
> GET / HTTP/2
> Host: sub.XXX.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Fri, 04 Feb 2022 17:14:47 GMT
< content-type: application/octet-stream
< content-length: 20
< server: awselb/2.0
< apigw-requestid: NBvJJh2uNjMEMVQ=
<
* Connection #0 to host sub.XXX.com left intact
"Hello from Lambda!"
main_×
$ curl -v https://main.YYY.tk/
* Trying 52.193.237.107...
* TCP_NODELAY set
* Connected to main.YYY.tk (52.193.237.107) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.execute-api.ap-northeast-1.amazonaws.com
* start date: Sep 22 00:00:00 2021 GMT
* expire date: Oct 20 23:59:59 2022 GMT
* subjectAltName does not match main.YYY.tk
* SSL: no alternative certificate subject name matches target host name 'main.YYY.tk'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'main.YYY.tk'
4
カスタムドメイン名 |
---|
main.YYY.tk |
ドメイン | タイプ |
---|---|
main.YYY.tk | インポート済み |
![スクリーンショット 2022-02-04 18.51.22.png]
レコード名 | タイプ | ルーティング先 |
---|---|---|
main.YYY.tk | CNAME | sub.XXX.com |
sub.XXX.com | A | main.YYY.tk の APIGatewayドメイン名 |
main_○
$ curl -v https://main.YYY.tk/ --insecure
* Trying 54.199.41.121...
* TCP_NODELAY set
* Connected to main.YYY.tk (54.199.41.121) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=JP; ST=Osaka; O=mycorp.; CN=*.YYY.tk
* start date: Feb 3 07:13:51 2022 GMT
* expire date: Feb 4 07:13:51 2023 GMT
* issuer: C=JP; ST=Osaka; O=mycorp.; CN=testCN
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fbb69809e00)
> GET / HTTP/2
> Host: main.YYY.tk
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Fri, 11 Feb 2022 09:17:06 GMT
< content-type: application/octet-stream
< content-length: 20
< server: awselb/2.0
< apigw-requestid: NXtu8hGftjMEJJw=
<
* Connection #0 to host main.YYY.tk left intact
"Hello from Lambda!"
main(相互TLS認証)_○
$ curl -v -i --key my_client.key --cert my_client.pem https://main.YYY.tk/ --insecure
* Trying 18.180.7.23:443...
* Connected to main.YYY.tk (18.180.7.23) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=JP; ST=Osaka; O=mycorp.; CN=*.YYY.tk
* start date: Feb 3 07:13:51 2022 GMT
* expire date: Feb 4 07:13:51 2023 GMT
* issuer: C=JP; ST=Osaka; O=mycorp.; CN=testCN
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xde4570)
> GET / HTTP/2
> Host: main.YYY.tk
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: awselb/2.0
server: awselb/2.0
< date: Fri, 11 Feb 2022 09:30:12 GMT
date: Fri, 11 Feb 2022 09:30:12 GMT
< content-type: application/octet-stream
content-type: application/octet-stream
< content-length: 20
content-length: 20
< apigw-requestid: NXvpmjjvtjMEM6A=
apigw-requestid: NXvpmjjvtjMEM6A=
<
* Connection #0 to host main.YYY.tk left intact
"Hello from Lambda!"
sub_×
$ curl -v https://sub.XXX.com/ --insecure
* Trying 13.230.67.255...
* TCP_NODELAY set
* Connected to sub.XXX.com (13.230.67.255) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.execute-api.ap-northeast-1.amazonaws.com
* start date: Sep 22 00:00:00 2021 GMT
* expire date: Oct 20 23:59:59 2022 GMT
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f897b00a200)
> GET / HTTP/2
> Host: sub.XXX.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 403
< date: Fri, 11 Feb 2022 09:18:39 GMT
< content-type: application/json
< content-length: 23
< x-amzn-requestid: 351a6722-1ed1-4fb6-9c59-9d6359a9e7bb
< x-amzn-errortype: ForbiddenException
< x-amz-apigw-id: NXt9fHDUNjMFpnA=
<
* Connection #0 to host sub.XXX.com left intact
{"message":"Forbidden"}