Hey there! I’ve helped folks set up this exact stack before, so let’s walk through how to get AWS API Gateway acting as a proxy for your Lumen API on EC2—including making sure your Passport token auth keeps working smoothly.

Before touching API Gateway, let’s make sure your base API is ready:

• Double-check your EC2 security group allows incoming HTTP/HTTPS traffic (for testing, you can temporarily allow 0.0.0.0/0, but we’ll tighten this later).
• Verify your Lumen API works directly via EC2’s public IP or domain—test a protected endpoint (like /api/user) with a valid Passport Bearer token using Postman or curl to confirm auth is working as expected.
• If you’re using Nginx on EC2 to serve the Lumen API, make sure it’s configured to pass all request headers (especially Authorization) through to your app.

You have two good options here: HTTP API (lighter, faster) or REST API (more features like custom authorizers if you need them later). Let’s cover both:

Option A: Use HTTP API (Recommended for Simple Proxy) #

1. Head to the AWS API Gateway console and click Create API, then pick HTTP API > Build.
2. Under Integrations, click Add integration, select HTTP as the type.
3. Enter your EC2 API’s base URL (e.g., http://your-ec2-public-ip:8000 or https://your-ec2-domain if you have HTTPS set up).
4. For routing, set up a /$default catch-all route (this will proxy every request to your EC2 API) or specific routes like /api/{proxy+} if you want to match your Lumen API’s prefix.
5. Finish creating the API—AWS will auto-generate a temporary endpoint for you.

Option B: Use REST API (For More Control) #

1. In the API Gateway console, click Create API > REST API > Build.
2. Name your API, then create a new resource. Check the Configure as proxy resource box before clicking Create Resource.
3. For the integration type, choose HTTP, then enter your EC2 API’s base URL with a proxy placeholder (e.g., http://your-ec2-public-ip:8000/api/{proxy}).
4. Set the HTTP method to ANY so all request types (GET, POST, etc.) are forwarded.

The key here is ensuring API Gateway forwards the Authorization header containing your Passport Bearer token to your Lumen API:

• For HTTP API: By default, most request headers are forwarded automatically, but test it first. If it’s not working, go to your integration settings, under Headers, add a mapping for Authorization to $request.header.Authorization.
• For REST API: Go to your proxy resource’s Integration Request settings. Under Headers, add a new mapping:
  • Name: Authorization
  • Mapped from: method.request.header.Authorization
• Test this by using API Gateway’s built-in test console: add the Authorization: Bearer your-valid-passport-token header, send a request to a protected endpoint, and confirm you get the expected response from your Lumen API.

• For HTTP API: Click Deploy, choose a stage name (like prod), and save. You’ll get a public API URL to use.
• For REST API: Create a deployment stage (e.g., prod), deploy your API, and copy the Invoke URL.
• Now test the full flow: send a request to the API Gateway URL (e.g., https://abc123.execute-api.us-east-1.amazonaws.com/prod/api/user) with your Passport token—this should proxy to your EC2 API and return the correct data.

• Secure Your Setup: Once everything works, restrict your EC2 security group to only allow traffic from API Gateway’s IP ranges (you can find these in AWS’s documentation for your region) or use a VPC endpoint to keep traffic within AWS’s network.
• HTTPS Everywhere: Configure API Gateway to use a custom domain with HTTPS (via AWS Certificate Manager), and set up HTTPS on your EC2 instance with a free Let’s Encrypt certificate—never send tokens over plain HTTP.
• Troubleshooting: If you get 5xx errors, check your EC2 API logs first, confirm the API Gateway integration URL is correct, and verify security group rules.

内容的提问来源于stack exchange，提问作者Sibin Francis