Setup TLS authentication with GCP app engine using X.509 certificate - google-app-engine

I have a client that uses TLS authentication using X.509 certificates. The Client makes API calls to my GCP app engine, which acts as a REST server.
The app engine has Identity Aware Proxy enabled, but the client is unable to use that to authenticate via that. Therefore, I made a API gateway for the client to make HTTPS requests. But it is unable to make HTTPS requests without authenticating with X.509 certificates.
I am able to upload a cert.pem to the client. I generated the certificate in Google cloud shell using openssl. But I do not know where do I put this certificate in the GCP. Is it in App Engine->Settings->SSL certificates OR in the .yaml config file for the API gateway OR do I have to set up a load balancer?

API Gateway, App Engine, and HTTP load balancers do not support client authorization with X.509 certificates.
You must implement client X.509 authentication in your application or web server on a service you manage and deploy such as Compute Engine.

Related

Cannot set HTTP URI in redirect URI on Azure AD Web App

I'm implementing a Power BI Embedding solution into third party application which uses the same Active Directory as Power BI. However the application has URL with HTTP and not HTTPS.
Now, for getting the authentication token for embedding, I've created Azure AD Web App and I want to add Redirect URI for that application, but it is not allowing me because it is HTTP.
What can be the solution to get authentication token for Azure AD for embedding?
Thank you.
Apps that are registered for Microsoft identity platform has Restrictions on redirect URLs. The redirect URL for web apps and
services must begin with the scheme https, and all redirect URL values must share a single DNS domain. http://localhost is also supported as a redirect URL.
You can create self signed certificates for https domain (for test purpose).If your app runs in Production Environment, it should be signed by a
trusted certificate authority.Check here to know more.
Refer this post for : Trust a self signed cert from IIS

HTTPS communication with EC2 Instance

I have my java spring project running successfully on AWS EC2 instance uploaded via elastic bean stalk but its endpoint is of the form http://...........
Now i have uploaded my angular project on firebase.
I could have uploaded it on AWS itself but it requires geolocation() which requires HTTPS connection. when i connect my angular app to aws instance via endpoint it shows
Mixed Content: The page at 'https://aspertime-a3b60.firebaseapp.com/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://aspertime-env.x2enfd8jmj.ap-south1.elasticbeanstalk.com/employee/login?username=123&password=123'. This request has been blocked; the content must be served over HTTPS.
i have tried many times to solve this problem.
-
So as we discussed in the comment, follow these steps
Create a Certificate from AWS ACM
Verify the certificate by adding an entry to your DNS provider
Create Load balancer with https listener
Place Load balancer on the top of Elastic beanstalk
Update web-app to point New TLS endpoint

Mutual SSL authentication on Google App Engine

I have an application where the client uses mutual SSL authentication through NGINX. So far, so good.
However, I want to move my project to Google App Engine and I need to use the same approach to valid the client, or at least, forward the client certificate to be validate in the application.
Is there some way to use mutual authentication on App Engine or other Google Cloud service?
Regards!
This might not be possible in GAE flexible environment because the SSL connections don't reach all the way to the actual application code. From Request limits:
SSL connections are terminated at the load balancer. Traffic from the load balancer is sent to the instance over an encrypted channel,
and then forwarded to the application server over HTTP. The
X-Forwarded-Proto header lets you understand if the origin request was
HTTP or HTTPs.
I didn't find such mention about the standard env GAE, so I'm unusure if the same applies there or not.

Pub/sub push subscription to an endpoint API URL

Since it is mandatory to register non app-engine endpoints as mentioned here,I can't register my endpoint and it shows the error: Invalid property URL; please specify a site or directory URL, not a page URL.Screenshot here
What can be the alternative?
Make sure you have:
A HTTPS server.
A valid SSL certificate.
Register the endpoint domain with the GCP project.
Register the https:// version of your site URL.
Configuring HTTP Endpoints
You need a publicly accessible HTTPS server to handle POST requests in order to receive push messages. The server must present a valid SSL certificate signed by a certificate authority and routable by DNS. You also need to validate that you own the domain (or have equivalent access to the endpoint). Finally, you must register the endpoint domain with the GCP project. Note that these steps are considerably simplified on App Engine, where SSL certificates are provided and verification requirements can be relaxed.
Step 1: Verify you have access to the domain
Complete the site verification process using Search Console. Be sure to register the https:// version of your site URL. For more details, see the site verification help documentation.

Is my app secure with Google App Engine without my own SSL Certificate

Is my app secure with Google App Engine without my own SSL Certificate?
I ask because I've just gone through the process of using Letsencrypt to create an SSL cert and apply it to my App Engine project with a custom domain - myapp.com
Now, I also a development environment which is at myapp.appspot.com. While configuring the app.yaml files with secure: always, I accidentally deployed the dev app before creating the certificates and I noticed it was secured!
I thought this could be an appspot.com thing, so I removed the certificates from my live app and it is still showing as secured...
So the question is, does App Engine have some sort of built-in SSL and thus, do I need to bother with my own certs???
Yes, your app at appspot.com is secure. However, if you wish to use a custom domain then you must get an SSL certificate. Here you can find instructions on how to use a custom SSL certificate for a custom domain with appengine.

Resources