API Gateway Private Endpoints do not include 'x-forwarded-proto' leading to incorrect wsgi.url_scheme

[JordanLoehr]

When using an API Gateway configured with a private endpoint (https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/) and in lambda proxy integration, the event object does not contain a header with 'x-forwarded-proto', even though calling the api over the private endpoint can only be done via HTTPS (I guess you could consider this an oversight by AWS, it is an undocumented quirk). This leads to serverless-wsgi defaulting to the incorrect protocol (http) for setting wsgi.url_scheme in serverless_wsgi.py. The detection logic for setting this value should perhaps be updated to not solely depend on the presence of 'x-forwarded-proto', or perhaps default to https instead of http in the absence of the header as API gateway doesn't support http only connections directly.

[gcochard]

I just checked and API Gateway doesn't listen on port 80, and the FAQ states that API Gateway doesn't support unencrypted endpoints.

One way to do this would be to check for the requestContext.apiId field and if present, set the wsgi.url_scheme to https if it has not already been done. I'm not sure whether this would open up a security hole however, so it might be safer to enable this behavior via an environment variable or configuration override.

[gcochard]

A very simple workaround for this is to modify the lambda handler function to set event['headers']['X-Forwarded-Proto'] = 'https' and/or event['multiValueHeaders']['X-Forwarded-Proto'] = 'https' immediately before calling serverless_wsgi.handle_request.