Amazon API Gateway

You can deploy fabio as the target of an Amazon API Gateway.

or behind an ELB with PROXY protocol support:

You can authenticate calls from the API Gateway with a client certificate. This requires that you configure an HTTPS listener on fabio with a valid certificate.

To enable fabio to validate the Amazon generated certificate you need to configure the as follows:

proxy.addr =;your/cert.pem;your/key.pem;api-gw-cert.pem = ApiGateway

api-gw-cert.pem is the certificate generated in the AWS Management Console. your/cert.pem and your/key.pem is the certificate/key pair for the HTTPS certificate. Since the Amazon API Gateway certificates don’t have the CA flag set fabio needs to trust them for the client certificate authentication to work. Otherwise, you will get an TLS handshake error: failed to verify client's certificate. See Issue 108 for details.

Note: The parameter will not be supported in version 1.2 and later which support dynamic certificate stores. You will have to add the caupgcn=ApiGateway parameter to the certificate source configuration instead. See Certificate Stores for more detail.