I have deployed an app in gcloud appengine. The main site is secured through a google managed certificate in app engine. However, after the authentication through auth0, the redirected url reviewresponse.beratics.com/dashboard is no more http secured although it has a certificate. That means I can change the url manually to https://reviewresponse.beratics.com/dashboard and it works. But it does not work automatically. What can I do, where is the problem? I have implemented pyopenssl and other measures such as talisman in python but the problem still persists. The backend is in flash, the app is on gcloud appengine flexible environment and the site is wordpress managed. The authentication to app works through auth0. All the callback Urls at Auth0 are with https. Thanks in advance!
I think this is what you are looking for, but App Engine has a secure flag in the app.yaml config which you can set to always which will redirect all http traffic to https. The details of this you can find here
Google Cloud app.yaml ref CTRL+F for 'secure'
As a possible workaround, GCE VM's allows custom firewall rules without any load balancer in front of them, in other words, you can use a GCE VM as a "proxy" setting a static IP blocking traffic over port 80 to then redirect to App Engine.
Also, I found this feature Request, as a kind recommendation you can start it in order that you receive further information about this.
Related
I have a GAE app set up to use a custom domain, let's call it mycustomdomain. This naked domain is working fine over HTTP and HTTPS. I also have a service called api, it can be accessed successfully by going to http://api.mycustomdomain.com (custom domain convention).
However, I can't access the api service over HTTPS. I uploaded a SSL for mycustomdomain.com, but I got an error (site can't be reached) for trying to accessing the api service over HTTPS. My question is do I need to purchase the wildcard.mycustomdomain.com SSL in order to access the api service over HTTPS? I don't have much experience dealing with SSL certs and GAE custom domain, so any help would be greatly appreciated. Thank you!
Edit: updated information for GCP Console configurations.
My app setup in the Console contains the following:
Services: default, api
Custom domain setup: mycustomdomain.com
SSL uploaded: ultrahdlivewallpaper.com (NOT the wildcard version), api.ultrahdlivewallpaper.com (unable to be enabled for custom domain, none matching)
More detail: The problem is when I map both ultrahdlivewallpapers.com and api.ultrahdlivewallpapers.com, they are both mapped to the default service. I want api. to point to the API service. If I only map ultrahdlivewallpapers.com, that allows me to access api service at the api subdomain, but then the api SSL can't be applied to api. subdomain because it's not listed as a subdomain.
07/24/17 Update: I believe this is a limitation with the App Engine Settings after trying out several scenarios via GAE Console. We have a custom domain set up for ultrahdlivewallpapers.com and enabled the SSL cert for this domain. The domain is pointing to the default service. We have a second service set up called API. Google's routing rules for any service set up is via HTTP:// service-id.custom-domain, which in our case is api.ultrahdlivewallpapers.com. However, when I upload the SSL for the api subdomain, Console couldn't find matching domains because the api subdomain is not specified via the Console. Now if I set up api.ultrahdlivewallpapers.com as a custom domain, I'm able to enable the SSL for api subdomain. Problem then becomes api subdomain is now pointing to the default service instead of the api service. If I remove the api mapping, I'm able to browse to the api service again, but no HTTPS! I don't believe there is a way to get this set up correctly without a wildcard SSL enabled for all subdomains. Please let me know if I'm missing anything. I have tried everything I can think of via the Console. Thanks.
You don't necessarily need a "wildcard" cert, per se. But, you do need to get a cert that covers all the subdomains. For example:
mycustomdomain.com
www.mycustomdomain.com
api.mycustomdomain.com
It's a standard solution, and not difficult to do. Certbot (Let's Encrypt) makes it easy.
If you choose to get a wildcard certificate installation is pretty straight forward:
You upload the certificate in the developer console (in App Engine -> Settings -> SSL Certificates -> Upload a new certificate). May require a bit of effort, see also Google App Engine SSL with Let's Encrypt "could not be inserted".
Once it's visible in the certificate table you can click on its name and you'll end up in the certificate edit screen where you can select which custom (sub)domains it applies to (from the list of all custom domains mapped in the app), looks like this:
Note: these are the corresponding custom domain mappings:
If you have another app (under the same admin account) which is also mapped to subdomains of the same domain you can activate the certificate on it as well in a similar manner (the console automatically shows the certificate in the list when you switch apps, no need to upload it again).
Is my app secure with Google App Engine without my own SSL Certificate?
I ask because I've just gone through the process of using Letsencrypt to create an SSL cert and apply it to my App Engine project with a custom domain - myapp.com
Now, I also a development environment which is at myapp.appspot.com. While configuring the app.yaml files with secure: always, I accidentally deployed the dev app before creating the certificates and I noticed it was secured!
I thought this could be an appspot.com thing, so I removed the certificates from my live app and it is still showing as secured...
So the question is, does App Engine have some sort of built-in SSL and thus, do I need to bother with my own certs???
Yes, your app at appspot.com is secure. However, if you wish to use a custom domain then you must get an SSL certificate. Here you can find instructions on how to use a custom SSL certificate for a custom domain with appengine.
I've gone through all the steps of setting up an SSL certificate on a Google App Engine app with custom domain. It worked for our test app (URL: test.mycompany.com). Now I'm went through the exact same process with our demo site (URL: demo.mycompany.com). Google is not letting me assign the URL to the certificate.
Figured this out. This posting was most helpful: How do I enable SSL for custom domains on appengine?.
In short, first add the custom domain in the Google Apps admin. Don't add it to the Google App Engine Console. Then in the Google Apps Security settings upload the certificate and assign the URL to the certificate. Adding the custom domain to Google Apps Console after doing this.
Having the custom domain defined in GAE admin console first, produces the error, "We are unable to process your request at this time. Please try again later. (Error #1000)".
I have setup my GAE app with my registered domain. And from the Admin page:
Your users can access myapp at:
https://myapp.appspot.com
http://www.myapp.com
*Note: app name is not actual
However the problem is when www.myapp.com is accessed the URL changes to myapp.appspot.com
What could be missing?
Did you have a previous setup with your domain?
I suspect that your DNS cache is redirecting you.
Do curl -i http://www.myapp.com
See if it's a redirect and what kind
Also check at your domain provider to check to point the GAE DNS servers and not use a redirect
Also you can try with wifi off on your mobile to see if it helps with the intermediate DNS caches.
can i point
http://www.mycustomdomain.com
to
http://myapp.appspot.com
using cname record or other gimmicks ? I do not want to use google apps.
it is possible ?
If you don't want to use Google Apps, you could serve redirects to your appspot address from another HTTP server somewhere. You cannot do this with DNS settings alone without Google Apps; the server needs to know which application to serve for a given request URL, and if the domain isn't a Google Apps domain, you can't configure this. Note that if you use redirects, the user will not see your domain name when visiting your app; once they're redirected they'll be viewing at an appspot.com address.
Are you aware that there's a free level of Google Apps service, that you could set up only to serve App Engine apps?