Fetch from AWS API Gateway fails from worker with Error 525 revealing the origin URL in error page


#1

I have a worker that get its data from a AWS API Gateway endpoint.

While this works fine in the online Worker Editor , when it deployed and worker endpoint is invoked from outside world it fails with following error :

Error 525 Ray ID: 48c3984a64e49668 • 2018-12-20 16:48:09 UTC

SSL handshake failed

AWS endpoint is in following format XXXXX.execute-api.us-east-1.amazonaws.com

I have verified from browser by hitting the origin directly that the certificate is at-least valid for Chrome browser (The cert itself appear to be a wildcard one , one served for all *.execute-api.us-east-1.amazonaws.com endpoints). As per the help page for 525 , there will be other issues like cipher suite used by AWS may not be supported by CF , that is something I need some help from CF to check.

Second problem is , the error page shown to end customers is revealing the origin in error page. I’m hoping to use CF rate limiting to protect the endpoint and don’t want anyone else to know the real URL. So I would like to know how I can stop CF from doing this.

Any help / pointers on this are highly appreciated.


#2

Assuming there is something wrong with wildcard cert AWS presents , I created a custom domain and applied a custom certificate to it. Started using that endpoint in the worker, again works all fine from the Editor but in real world fails with following -

TypeError: Too many redirects.; urlList = ORIGIN_URL ,…ORIGIN_URL … 21 times

cf-ray:48cac851aa9a2a7f-SEA

Little more about the custom domains , its a subdomain in my site (copy-paste.net ) created as CNAME to the AWS cloudfront subdomain they generated for me and installed custom certificate on.
I can access that url directly from browser and curl and dont see any redirections there.

UPDATE
for the SSL handshake error I believe there is something messed up with AWS Virginia data center endpoint for my service , I also have this service in other data centers and the worker fetch works fine with that URL.

UPDATE
As of today , none of the URL ( I have the service in around 10 AWS regions ) work. I really don’t know what is with the AWS URL that CF doesn’t like !

Final Update
Silly me, my understanding of SSL options (OFF, Flexible, Strict, Full) in CF dashboard was all messed up , thing which I should have read first. On setting it to Full I’m able to fetch from AWS API gateway from my worker.