I have an API running in Google App Engine and I want to introspect HTTP POST body to reject poorly formed calls before it hits my API running in app engine. Is there a way to front an App Engine application whereby I can introspect the URI, the POST body and return a 400 without it actually being processed by my code running in App Engine? Please let me know, thanks.
If you want to inspect HTTP, then you will need to write a proxy application to do so. Neither the Google Cloud Load Balancer nor App Engine support hooking HTTP requests.
Proxies have the MITM (Man In The Middle) problem in that HTTP traffic is often encrypted. You will not be able to inspect that traffic unless your proxy is the endpoint. If you implement your proxy with Apache or Nginx then you can use the ModSecurity project.
Basically, you want to implement a WAF. Google offers Cloud Armor which supports inspecting traffic via Cloud Armor rules.
Related
We've just created a new Loadbalancer which works perfectly well with all our services. The only issue we have is with the Blobstore.
The initial blobservice request works - returning a URL for the upload. But executing that request (/_ah/upload/) fails with a 404. My understanding is that it should be redirected to the blobstore service which will then send a response with the upload id. This works fine without the load balancer.
I can't see a way to add the blobstore as a service, so I don't know what to do to make sure the request is routed to the correct place.
Any help is gratefully appreciated!
This is currently a known limitation with Blobstore when used in an HTTPS load balancer in App Engine.
With the App Engine to Blobstore service, the generated URL for upload is shared to Google Front End. When the Load Balancer is introduced, the App Engine URL is returned, and causes a 302 redirect. The returned URL is used as a relative path to connect via the load balancer, and as it is not aligned to the one expected by the GFE, a 404 response is thrown.
Blobstore is a legacy API and has been deprecated, and with the limitations it has, it is ideal to look for alternatives.
You can consider using Cloud Storage, as mentioned in this overview. It is possible to achieve the upload behavior through Cloud Storage signed URLs which bypasses the App Engine Upload component. It would be necessary to implement a further component to notify on completion, such as a Pub/Sub for new object creation, if that information is needed.
Besides Cloud Storage, you can check other replacement options for Blobstore in this documentation.
I see no way to connect my app engine backends with Cloud CDN. Seems like it's only available when using Compute Engine directly.
No, that is not currently possible. Currently, Google Cloud CDN can be used only to serve content that originates from Cloud Storage buckets, Compute Engine instance groups, and Compute Engine network endpoint groups. I agree that it would make sense to support App Engine Standard, too!
Update
Currently in beta is Serverless NEGs (Network Endpoint Groups) which will allow you to use App Engine behind a HTTP(S) Load balancer and give you all the features provided with that including CDN
Original
Yes, App Engine will serve content via Google Cloud CDN as long as a cacheable response is returned.
Try setting the Cache-Control header to something like max-age=86400, public and ensuring a Set-Cookie header is not sent with the response
Is it possible to make Google App Engine services only available on a Google Cloud internal network, and if so, how? I have some microservices that shouldn't be publicly available (for use by other services only).
I know you can configure firewalls, however:
The app engine firewalls apply to all services
I have no idea what IP range to allow for app engine services with the VPC, since app engine works with domains only, and doesn't specify what range it uses.
If you're using standard environment services you might be able to use the app ID to validate requests in such services. From Asserting identity to other App Engine apps:
If you want to determine the identity of the App Engine app that is
making a request to your App Engine app, you can use the request
header X-Appengine-Inbound-Appid. This header is added to the
request by the URLFetch service and is not user modifiable, so it
safely indicates the requesting application's ID, if present.
In order for this header to be added to the request, the app making
the request must tell the URLFetch service to not follow redirects.
That is, it must set the fetch follow_redirects parameter to
False. App Engine will then automatically add the header to the HTTP
response.
In your application handler, you can check the incoming ID by reading
the X-Appengine-Inbound-Appid header and comparing it to a list of
IDs allowed to make requests.
**Note:** The **X-Appengine-Inbound-Appid** header is only set if the call
is made to the **appspot.com** domain. If the app has a custom domain,
this header will not be set.
If however you're using the flex environment this approach doesn't work, see App Engine Flexible + App Identity (Python)
Using authentication with the app's own service account could be another thing to look at for the flex environment - but I didn't try it yet. See Service Account for the App Engine Flexible Environment.
I created a topic which I subscribe to using a push endpoint. The endpoint is a simple AppEngine web service. The Google PubSub documentation states that endpoints must be secured by HTTPS.
I am not receiving any traffic to the push endpoint. The AppEngine web service shows no requests. I've verified through the Google PubSub dashboard that messages are being published on the topic successfully. The dashboard shows unreachable_ssl_error for push subscriptions. Why is Google PubSub reporting this error?
When I try to access the SSL AppEngine endpoint via a browser I receive an SSL cert error also. Is this normal for AppEngine sites?
As documented at https://cloud.google.com/appengine/kb/general#https , SSL is supported on App Engine, but in a somewhat peculiar way.
Specifically, and I quote...:
Note: After April 2013 Google does not issue SSL certificates for
double-wildcard domains hosted at appspot.com (i.e. *.*.appspot.com).
If you rely on such URLs for HTTPS access to your application, change
any application logic to use "-dot-" instead of ".". For example, to
access version v1 of application myapp use
https://v1-dot-myapp.appspot.com.
Also look at the previous paragraph at this same URL about the need for secure in app.yaml and a link to language-specific instructions on exactly how to configure things, e.g https://cloud.google.com/appengine/docs/python/config/appconfig#Python_app_yaml_Secure_URLs if you're programming in Python.
I'm developing a Java app in GAE, which offers an API through Google Cloud Endpoints.
Basically it receives requests in the endpoints and uses a number of web services from different providers, stores some data and returns some data through the endpoints...
I understand that my app is conceptually a backend, because it doesn't provide any web page, but only the endpoints, don't you think so?
But there's no way to create only a backend, without being associated to any frontend app, is there? At least Google Plugin for Eclipse only allow you to "Generate App Engine Backend", from an existing app, and moreover this app must be an Android project...
I'm using it as a frontend and there's no problem, but apart from the conceptual issue, I've read that backends are kind of optimized to be backends, with more memory and CPU...
I think you're just confused because the Cloud Endpoints documentation uses the word 'backend' to refer to the entire cloud-hosted server implementation. It doesn't specifically refer to the use of GAE backend instances. Endpoint requests can be served by frontend or backend instances, based on how you set them up and the url being accessed.
From the App Ending docs:
"When an application is called to serve a web request, it must issue a response within 60 seconds"
"App Engine Backends are instances of your application that are exempt from request deadlines and have access to more memory (up to 1GB) and CPU (up to 4.8GHz) than normal instances."
So unless you're requests are doing something crazy, you don't need to use a backend. In the google-plugin-for-eclipse, "generate appengine backend" is talking about creating a backend for your android app... a server for your android app to contact (in this case your android app is the frontend and you're appengine app is the backend). In the example app you can remove the web side (index.html) to the appengine application and you'll have no web frontend. Index.html is using the gapi javascript library to make endpoints calls to your appengine service.