I've got server sites set up on GCS but currently they are getting the "Not Secure" badge when someone browses them. I'd like to set them up with a load balancer and google managed certificates so they don't get flagged by the browser. Here is the structure of the sites (not the real domains or hosts):
flintstones.com
www.flintstones.com (alias for flintstones.com)
fred.flintstones.com (completely separate site - currently in it's own storage bucket)
barney.flintstones.com (completely separate site in it's own storage bucket)
Can I have just one load balancer for all of these or do I need a separate LB or each? I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea. I tried that and the cert was forever in "PROVISIONING" status. If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned? Long and short, is that I can never seem to get a cert that isn't in "PROVISIONING" status.
Thanks for your help!
Can I have just one load balancer for all of these or do I need a separate LB or each?
Yes, you can have one LB, with one IP address, and each domain configured to point to that IP address (by CNAME or A/AAAA record). The URL Map for the LB should then dispatch different paths to different backend buckets with host rules.
I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea.
This is up to you, both can work. Some factors to consider:
There is a limit of 100 domains on each SSL certificate
There is a limit of 15 certificates on each targetHTTPSProxy
If you use one certificate with multiple domains, a user visiting one of those domains can get a list of other domains on the certificate. If you use separate certificates, that is not the case.
It is a simpler config to have one certificate
Separate certificates is safer/easier if you need to change domains frequently.
If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned?
Google will only provision a certificate if the domains requested point to your Load Balancer. So you do need to set up the DNS records for all the domains.
Related
Trying to enable auto renewing SSL on google app engine but google says DNS records can not be found.
I have added them for subdomain, tried doing all A and AAAA records or just CNAME record (as cloudflare doesn't allow CNAME and A,AAAA on same subdomain), but no luck with google finding DNS records (even after waiting 24 hours).
Whatever DNS records are needed by google to verify ownership of the domain should not be orange clouded/Proxied, they should be grey clouded/DNS only. Proxying will actually cause cloudflare to serve an A / AAAA record for their own servers/ips and on the requests to your origin server, they will use these entries. Google would not see the actual DNS entries to do the verification.
That being said, the A / AAAA records in your picture don't look like the verification records. I don't know anything about GCP/GAE, but generally the domain control verification records are TXT records or CNAME records. Regardless of this, the above applies. You need the DNS only mode to modify the actual DNS entries that everyone sees.
I have different customers who own each their own hosted saas page on my gae app. for example:
myapp.appspot.com/customer/123
myapp.appspot.com/customer/456
each of the customers may want his domain name for example theBigDomain.com to "invisibilly" forward to myapp.appspot.com/customer/123
Please notice I want theBigDomain.com/myservlet?id=theId#aBookmarkUrl to be transmitted to the target url as myapp.appspot.com/customer/123/myservlet?id=theId#aBookmarkUrl
I searched for the google documentation and I can't find a way to do that.
Note: I don't want a redirect where the person who types theBigDomain.com finds he's not there anymore, and I don't want a frame to include my url in the theBigDomain.com since I want the user to be able to click on the back button.
In short, I want the domains to work as proxies, knowing that from what I know, proxies are not good for some content, for exampe, if my target link has a youtube video, this might not work. So I'm asking if there is a way to do a dns redirect for a url and not a domain???
Using subdomains is also limited: creating a subdomain for each customer will be a tedious work...
Using subdomains is also limited: creating a subdomain for each customer will be a tedious work...
How so? This could actually be a lot easier for you/your customers since your customers wouldn't have to deal with domain verification/DNS settings and all you would need to do is add one * (wildcard) host to your main domain pointing to ghs.googlehosted.com and adding *.yourdomain.com in your GAE apps's settings. In your app, in your framework of choice you would then see what subdomain the request came to and and handle it as the customer's unique id (instead of 123/456). See here how you would determine the subdomain on python/webapp2. If you're using a different combination of language/framework - there are alternatives functions as well.
If you still want the customers to use their own domains then it gets a little more complicated. First, they need to provide the full domain name to you, you then add it to your GAE app's settings. Next, you and your customers need to follow one of the verifications steps listed on this page: https://support.google.com/a/answer/60216?hl=en and once that is complete you would need to ask your customers to create a CNAME record on their domains/subdomains pointing to ghs.googlehosted.com. Once the CNAME record is created, you would handle this just like the if these were subdomains on your own domain, i.e. in your framework determine what domain the request came to and handle it as a customer's unique ID to serve that customer's app.
I'd like to direct traffic to different versions of Google App Engine code based on a set list of known IP Addresses.
For example, if an incoming request is from an IP Address on a given list, then traffic is directed to version 1. If not, then version 2.
Is there a way to do this from the admin console or deployment configuration?
The end goal is to grant access to extra features when the site is accessed from an approved IP Address. If I can't do this from the admin console, then I plan to get the IP Address during the user's login process, and set their security role based on IP.
There's not a way within the admin console or deployment process. However, if you do cookie-based traffic splitting, you can set the cookie yourself (based on the incoming IP address, or another value you desire). The value is stored in GOOGAPPUID and the value you'd want to use is described in the documentation, and varies depending on the number of versions you're splitting between and the respective levels of traffic you'd like to send to each version.
If you don't want to do traffic splitting for users not on a given list of IPs, you should make sure to explicitly set the cookie for all users. Otherwise, App Engine will provide the value (and send some users to both versions) by default.
I'm using Jespa to do transparent ntlm sign on. I want to be able to authenticate the users in multiple windows domains. I have it working with one domain. How do I add another?
Thanks
I asked this question to ioplex support. They gave me a good answer. Here it is:
"Only the first element in the chain can do SSO because once the HttpSecurityService challenges the browser with information for the first domain, the browser cannot start over for a different domain. At least not in the same request. Ideally it would be great if the browser submitted the name of it's own domain in the initial NTLM token. But unfortunately it simply does not.
We actually get this question quite a bit. The best way to handle this in our opinion is to create a custom Filter that creates multiple instances of the HttpSecurityService - one for each domain. Then you have a parallel list of network masks that can be used to match clients by remote IP address to the correct instance of the HttpSecurityService. Or you could identify clients using any method you want such as broswer signature. Or you could use a cookie to identify the ideal domain but in this case the user would have to do something to get the cookie (like login manually once). Do you understand what I mean?
Note that if the AD domains have trusts, SSO should work fine with only the one HttpSecurityService instance. The solution described above is only necessary if the domains do not have trust relationships."
I develop Google App Engine application and want to provide separate 3rd-level domain for each registered user (e.g. username.example.com).What is the best way to handle such kind of features in App Engine?
Currently I see the only one way - set wildcard DNS A-record CNAME-record to point to the application's main address, handle all requests in the central request handler, then parse request's URL, fetch username from URL, and then apply logic neccessary for specified user. But it looks like error-prone approach since it involves manual work and assumptions.
You can't use an wildcard A record wildcard to point to the app; A records point to a single IP address and App Engine apps don't have a single IP address.
You need to use a wildcard CNAME record pointing to ghs.google.com.
Then, in your application, parse the hostname and act appropriately. I'm not sure what you mean by "manual work and assumptions"; it's fairly trivial to split the hostname on . and lookup whether there's a user registered with the first part of the hostname in your database.