Custom domains / catch all hostnames on Google App Engine - google-app-engine

I'm trying to configure my Google App Engine instance with Cloudflare for Saas, and more precisely Cloudflare's SSL for SaaS offering. The objective being that I can provide to my customer a "custom domain" (also known as "vanity domain"), such that they don't go to dashboard.mywebsite.com, but instead app.customerwebsite.com.
Configuration part
To make sure that my App Engine instance is correctly serving content on dashboard.mywebsite.com, I've made the following:
On Google Cloud side:
I've configured the custom domain dashboard.mywebsite.com.
I've let Google manage the SSL configuration (no custom key/certificate)
Here is my app.yaml configuration file:
runtime: nodejs14
env_variables:
NODE_ENV: 'production'
basic_scaling:
max_instances: 10
idle_timeout: 5m
On Cloudflare side:
I've updated the DNS records so that dashboard.mywebsite.com is perfectly working
I've configured the SSL on the Full mode (while I've tried with Flexible as well - both work)
I waited for a few hours and I confirm that dashboard.mywebsite.com resolves correctly and serves my content (from Google App Engine).
Next, custom domains
According to Cloudflare documentation, I had to register the fallback origin (i.e. dashboard.website.com) and then configure a custom hostname (e.g. app.customerwebsite.com). Which I did.
Now, according to Cloudflare documentation again, my customer has to create a CNAME record. Which I did with a domain of mine:
app.customerwebsite.com CNAME dashboard.mycompany.com
The issue
I waited a few hours again. Then, when I open app.customerwebsite.com in my browser, it shows a Google 404 error page instead of my dashboard. Which makes me think that Cloudflare successfully "redirects" the traffic to Google, but App Engine refuses to serve it. Probably because it doesn't know app.customerwebsite.com?
Any thoughts that would help?

As you noticed, the issue is not related to Cloudflare, but App Engine. The problem with your configuration is that, when App Engine receives a request, based on the Host header, it forwards the request to the right instance.
App Engine lets you map any custom domains that has been previously validated by Google. But in your situation, that would mean you have to register each custom domain of your customers on your App Engine instance. That's too cumbersome (if even possible).
What you need to do instead is the following:
enable a static IP address with Google Cloud
change your DNS record from dashboard CNAME ghs.googlehosted.com to dashboard A YOUR_IP_ADDRESS
configure a Google Cloud Load Balancer to map requests received on that IP address to your App Engine instance.
Google's documentation has a great guide on how to setup a load balancer with Cloud Run. By changing a few settings it works great with App Engine. As an extra help, below is the configuration details of our load balancer that allows us to provide vanity domains / custom domains to our customers through Google Cloud:
Again, the load balancer is here responsible to map all requests received by your IP address (no matter the Host header) straight to your App Engine instance.
As a best practice, it might be useful to push a dispatch.yaml file to your instance:
dispatch:
- url: '*/*'
service: default
Which tells App Engine to send all requests to the default service. It works a bit like a wildcard virtual hosts on an Apache server.

Related

Google Cloud with Google Domain, static website ssl cert not valid

My domain is registered with Google Domains. I put up my static website on Google Cloud Storage. The Cname record being c.storage.googleapis.com.
I had an SSL cert already for this domain, and wanted to set it up. I uploaded the SSL cert successfully to Google Cloud App Engine. It gave me a new Cname value to tie to my DNS, this time ghs.googlehosted.com
I can't do both for www
Anybody know whats up? I thought there would be a simple way to point my existing ssl certificate to my domain without having to do load balancing or anything too complicated. There is very little traffic to the site. I transferred everything over from a different hosting provider, and this is the only issue.
Possible solutions -
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer. Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
Use firebase to host your SPA, they by default have https.
Use App engine to serve static files https://github.com/ncruces/appengine-hosting
Use something like cloudflare infront of it, which provides https for custom domain.
In order to host your static web page within a Cloud Storage bucket and use HTTPS, you need to configure a load balancer with a static external IP address. This guide [1] shows how to configure load balancing service and sending traffic to the instances. You can follow the configurations, skipping the instance parts since your goal is sending traffic to a bucket.
Afterwards, route your load balancer to the Cloud Storage bucket having your static web page [2].
Finally, go to your domain host and set an A Record, instead of CNAME [3], hitting your load balancer's external IP.

Modifying Nginx configuration on Google Cloud App Engine Flexible Environment with Custom Runtime

The Nginx load balancer of Google Cloud App Engine Flexible Environment (with custom runtime) logs remote IP addresses etc. to its access logs. What if I wanted to disable that behavior? Is it possible in any way? Docs don't say anything about configuring Nginx by yourself. Haven't find anything from the console either.
In order to disable any IP logging, you have to disable the Google Cloud Load Balancer logs and also any logging done by NGINX.
In order to disable the ones done by the Load Balancer of Google Cloud, this page of their official documentation explains how to do it. You would need select "Disable log source" from the cloud HTTP Load Balancer.
On the other hand, to configure NGINX, apparently the only way to do so is modifying the nginx.conf file.
Because this you are using App Engine Flex and it's not possible to access these virtual machines/containers once the App had been deployed, you would need make sure to change the configuration before executing the deployment.
I've found a Serverfault post which does explain how to disable NGINX logging, and another article which does explain the NGINX configurations with better depth in case they might be of use for you.
I believe this won't be possible. As per this Logging docs page:
The App Engine flexible environment produces the following logs:
Request logs record requests sent to all App Engine apps. The request
log is provided by default and you cannot opt out of receiving it.
App logs record activity by software within the App Engine app. The
log is provided by default and you cannot opt out of receiving it.
Runtime logs are provided from the flexible environment using a
preinstalled Logging agent.

Do I need to Setup a Reverse Proxy behind Google App Engine or not?

I am running my app on Google App engine and I have linked my domain which I bought from GoDaddy to the app engine along with the SSL which I have also bought from GoDaddy.
I read it on many sites that running server on port 80 without Reverse Proxy can cause you major security issues. But I can't see which of these issues are they talking about. Also as I am running my app on port 5555 I even tried to ping my domain and the IP was 216.239.XX.21 where X possible values can be (32, 34, 36 and 38) which is same for all other App Engine server. So I think that as if any hacker/malicious user tries to do something malicious to my app then in order to do that he/she have to know my IP which App Engine is hiding by default.
So, I want to know as App Engine is already hiding my IP so do I have to use any Reverse Proxy Server like Nginx on my App Engine or not ??
Also if I need to use Reverse Proxy then I saw these two posts nginx-as-reverse-proxy-for-google-app-engine-application
and using-nginx-as-a-reverse-proxy-for-speedy-app-engine-development/.
Where in First Post it is not recommended to use Reverse Proxy whereas in Second Post it is recommended to use Reverse Proxy. That's why I am confused which would be a better approach.
Please Help Me Guys.
After posting this question on Google groups they told me that There is no need for setting up reverse-proxy for both Flexible and As well as Standard Environment.
App Engine instances in the Standard environment 1 do not have public static IP addresses, and are completely protected by the main
Google Front-end server. Requests to your application first hit the
Google Front-end, then the front-end performs the SSL security checks
according to your uploaded certificate [2], and then forwards the
request to your App Engine instances using their internal IPs.
Therefore no reverse-proxy is required.
If you are using the App Engine Flexible environment [3], you are able to have static IPs for your instances as they use Compute Engine
VMs [4]. But, App Engine automatically loads Nginx proxy in front of
every App Engine Flexible instance pre-configured, so you do not have
to set this up at all. All you have to do is follow the guide to
uploading your SSL cert [5], and requests will be vetted by the Google
Front-end just like the Standard environment above. Therefore no added
reverse-proxy is required.
Full answer can be found here issue

Adding a SSL App engine with custom subdomain pointing to Google Storage bucket

Current App:
Goole App Engine on a custom domain: myapp.com
Google Cloud Storage bucket on a custom subdomain (it uses DNS): images.myapp.com
I have SSL certificate with the images subdomain
My question is: Is possible to have this configuration with SSL?
Things I have tried:
Load balancer. I cannot figure out how to redirect everything that is not /images/* to the GAE (it seems it only works with backends)
dispatch.yaml. I think it only works for the services you deploy
In App Engine Settings I have added images.myapp.com, but as the redirection of images.myapp.com is done at DNS level, the secure layer is lost
Any suggestion or idea is more than welcome.
Thank you!
The limitation comes from the Cloud Storage bucket presented as a website under a custom domain - you can't use SSL with that. From You want your content served through HTTPS:
SSL is not currently supported by the Cloud Storage webservers; thus,
you can only use a CNAME redirect with HTTP and not with HTTPS. If you
wish to serve content through HTTPS from your bucket, we recommend you
use a third-party Content Delivery Network with Cloud Storage.
Alternatively, you can serve your static website content from
Firebase Hosting instead of Google Cloud Storage.
If the content of your site meets the Code and static data storage quota you can serve your website through GAE, as static content (through a google CDN), which can be mapped to a custom domain and use SSL. See:
Serving Static Files
Hosting a static website on Google App Engine
If your content exceeds the mentioned quota then you can still serve it through your app, but dynamically, with your app accessing the content stored on GCS and serving it - more expensive as you'll be using instance hours for it.

Does Google App Engine support SSL for apps hosted as mydomain.com?

From this question I learned that Google App Engine does not currently support SSL on "custom domains" (at least not as of June 2010, when that question was asked).
Does this mean if I want to host my GAE app on www.mydomain.com, I cannot use SSL?
A few days ago it comes into tests.
Priority:
It is at the top of the Features on Deck list.
http://code.google.com/appengine/docs/roadmap.html
Simultaneous serving:
A custom domain hosted app such as http://www.mydomain.com can still be accessed on its ssl appspot subdomain such as https://yourapp.appspot.com
Issue:
http://groups.google.com/group/google-appengine/browse_thread/thread/844dc97fbfc57bab/0c8651f00072f9ea?lnk=gst&q=ssl#0c8651f00072f9ea
(As the others on here have said) SSL is not currently supported for your own domain. It is aparently on it's way but has been for some time, I believe it is currently only available to a select few Google App Engine for Business customers.
The temporary solution which many (myself included) are using is to setup a reverse proxy from another hosting service (Amazon EC2 in my case) to route SSL traffic.
If your app suits the situation where your URLs are not of importance, you could setup an SSL site somewhere and access your https://xxx.appspot.com version from within an iframe
Either way until GAE offically supports SSL via your Google Apps domains, you will need an external service to workaround it.
Custom SSL is available for App Engine since 27 Jun 2012.
You can setup it from your domain's control panel:
https://developers.google.com/appengine/docs/ssl
All secure traffic with Google App Engine must be served from your appspot.com domain (https://your-app-id.appspot.com). If you are serving your app off of a Google Apps domain, you must direct all secure traffic through your app's appspot domain.
This is what is written in google app engine documentation. That means. SSL is supported on appspot.com domain
You can get SSL to work on your custom domain hosted on AppEngine, however you need to run a reverse proxy that can modify the host header to do so. If you want to setup a reverse proxy yourself, you can do so following these instructions:
http://radomirml.com/2011/01/30/reverse-proxy-for-gae-application-using-nginx-and-ssl
Alternatively, you can use a reverse proxy service like CloudFlare. The process of getting SSL to work with an appspot.com domain is documented on the CloudFlare Blog:
http://blog.cloudflare.com/ssl-on-custom-domains-for-appengine-and-other
You can use wwwizer.com - it is a reverse proxy service with SSL.
You get an individual IP and it is showing your app both on http and https ports. It is cheaper and easier than hosting the whole server yourself.
This is my service, so, yes, this is blatant advertising :-)
Here's a HOWTO I wrote up explaining how to do SSL on your custom domain using CloudFlare:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
Since Sdk 1.7.0, released at Google I/O, developers can serve their applications via HTTPS on custom domains using both SNI (Server Name Indication) and VIP (Virtual Ip) based SSL.

Resources