Google Cloud with Google Domain, static website ssl cert not valid - google-app-engine

My domain is registered with Google Domains. I put up my static website on Google Cloud Storage. The Cname record being c.storage.googleapis.com.
I had an SSL cert already for this domain, and wanted to set it up. I uploaded the SSL cert successfully to Google Cloud App Engine. It gave me a new Cname value to tie to my DNS, this time ghs.googlehosted.com
I can't do both for www
Anybody know whats up? I thought there would be a simple way to point my existing ssl certificate to my domain without having to do load balancing or anything too complicated. There is very little traffic to the site. I transferred everything over from a different hosting provider, and this is the only issue.

Possible solutions -
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer. Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
Use firebase to host your SPA, they by default have https.
Use App engine to serve static files https://github.com/ncruces/appengine-hosting
Use something like cloudflare infront of it, which provides https for custom domain.

In order to host your static web page within a Cloud Storage bucket and use HTTPS, you need to configure a load balancer with a static external IP address. This guide [1] shows how to configure load balancing service and sending traffic to the instances. You can follow the configurations, skipping the instance parts since your goal is sending traffic to a bucket.
Afterwards, route your load balancer to the Cloud Storage bucket having your static web page [2].
Finally, go to your domain host and set an A Record, instead of CNAME [3], hitting your load balancer's external IP.

Related

Custom domains / catch all hostnames on Google App Engine

I'm trying to configure my Google App Engine instance with Cloudflare for Saas, and more precisely Cloudflare's SSL for SaaS offering. The objective being that I can provide to my customer a "custom domain" (also known as "vanity domain"), such that they don't go to dashboard.mywebsite.com, but instead app.customerwebsite.com.
Configuration part
To make sure that my App Engine instance is correctly serving content on dashboard.mywebsite.com, I've made the following:
On Google Cloud side:
I've configured the custom domain dashboard.mywebsite.com.
I've let Google manage the SSL configuration (no custom key/certificate)
Here is my app.yaml configuration file:
runtime: nodejs14
env_variables:
NODE_ENV: 'production'
basic_scaling:
max_instances: 10
idle_timeout: 5m
On Cloudflare side:
I've updated the DNS records so that dashboard.mywebsite.com is perfectly working
I've configured the SSL on the Full mode (while I've tried with Flexible as well - both work)
I waited for a few hours and I confirm that dashboard.mywebsite.com resolves correctly and serves my content (from Google App Engine).
Next, custom domains
According to Cloudflare documentation, I had to register the fallback origin (i.e. dashboard.website.com) and then configure a custom hostname (e.g. app.customerwebsite.com). Which I did.
Now, according to Cloudflare documentation again, my customer has to create a CNAME record. Which I did with a domain of mine:
app.customerwebsite.com CNAME dashboard.mycompany.com
The issue
I waited a few hours again. Then, when I open app.customerwebsite.com in my browser, it shows a Google 404 error page instead of my dashboard. Which makes me think that Cloudflare successfully "redirects" the traffic to Google, but App Engine refuses to serve it. Probably because it doesn't know app.customerwebsite.com?
Any thoughts that would help?
As you noticed, the issue is not related to Cloudflare, but App Engine. The problem with your configuration is that, when App Engine receives a request, based on the Host header, it forwards the request to the right instance.
App Engine lets you map any custom domains that has been previously validated by Google. But in your situation, that would mean you have to register each custom domain of your customers on your App Engine instance. That's too cumbersome (if even possible).
What you need to do instead is the following:
enable a static IP address with Google Cloud
change your DNS record from dashboard CNAME ghs.googlehosted.com to dashboard A YOUR_IP_ADDRESS
configure a Google Cloud Load Balancer to map requests received on that IP address to your App Engine instance.
Google's documentation has a great guide on how to setup a load balancer with Cloud Run. By changing a few settings it works great with App Engine. As an extra help, below is the configuration details of our load balancer that allows us to provide vanity domains / custom domains to our customers through Google Cloud:
Again, the load balancer is here responsible to map all requests received by your IP address (no matter the Host header) straight to your App Engine instance.
As a best practice, it might be useful to push a dispatch.yaml file to your instance:
dispatch:
- url: '*/*'
service: default
Which tells App Engine to send all requests to the default service. It works a bit like a wildcard virtual hosts on an Apache server.

GCS - split traffic (Between GAE and Storage) based on port

How does one configure Google Cloud Service to have a domain serve static files file storage (ie, html/css/js, via port 80), but send requests to the same domain on port 3000 go to App Engine, for a RESTFUL web app?
ie,
https://foo.com/ -- html/css/js served via Google Storage
https://foo.com/users:3000 -- ping app engine
Note: I do know how to host static files on Google Storage and use it as a website. What I need to know is how to configure requests to the same domain on port 3000 go to app engine instead.
As far as I understand, when serving static websites all the traffic goes to port 80. It will not be possible to route request depending on the port on the static website. A workaround here would be to have your main domain point to the static website, whereas you could have your subdomain pointing to the GAE application. This can be done by mapping a custom subdomain.

Adding a SSL App engine with custom subdomain pointing to Google Storage bucket

Current App:
Goole App Engine on a custom domain: myapp.com
Google Cloud Storage bucket on a custom subdomain (it uses DNS): images.myapp.com
I have SSL certificate with the images subdomain
My question is: Is possible to have this configuration with SSL?
Things I have tried:
Load balancer. I cannot figure out how to redirect everything that is not /images/* to the GAE (it seems it only works with backends)
dispatch.yaml. I think it only works for the services you deploy
In App Engine Settings I have added images.myapp.com, but as the redirection of images.myapp.com is done at DNS level, the secure layer is lost
Any suggestion or idea is more than welcome.
Thank you!
The limitation comes from the Cloud Storage bucket presented as a website under a custom domain - you can't use SSL with that. From You want your content served through HTTPS:
SSL is not currently supported by the Cloud Storage webservers; thus,
you can only use a CNAME redirect with HTTP and not with HTTPS. If you
wish to serve content through HTTPS from your bucket, we recommend you
use a third-party Content Delivery Network with Cloud Storage.
Alternatively, you can serve your static website content from
Firebase Hosting instead of Google Cloud Storage.
If the content of your site meets the Code and static data storage quota you can serve your website through GAE, as static content (through a google CDN), which can be mapped to a custom domain and use SSL. See:
Serving Static Files
Hosting a static website on Google App Engine
If your content exceeds the mentioned quota then you can still serve it through your app, but dynamically, with your app accessing the content stored on GCS and serving it - more expensive as you'll be using instance hours for it.

Multitenancy on Google cloud, how to obtain custom domain

On Google cloud, you can use appengine api to obtain *.appspot.com domain. How does one obtain customer domain in an instance whereby the domains are used as namespaces in a multi tenant application.
Say customer.example.com points to super-cool-app.appspot.com via DNS configuration CNAME, during request processing how can one obtain customer.example.com typically servers would broadcast SERVER_NAME via headers. Does Google cloud App Engine offer such headers?
Looking through the AppEngine Docs at
https://cloud.google.com/appengine/docs/java/multitenancy/multitenancy#Java_Setting_the_current_namespace -
NamespaceManager.getGoogleAppsNamespace() would return the domain. The document states that this method returns blank if the App is hosted on appspot.
I've not tried this personally, but the docs look promising.

Setup Google Compute Engine to only be accessible from a Google App Engine application?

Google Compute Engine instances can be secured behind a firewall that allows you to open the instance by ports and/or IP addresses.
Google App Engine doesn't use a single IP address.
I have a Compute Engine server running Nginx that I would like to completely lock down so the only way to access it is through an application on Google App Engine, is this possible?
If not, is there a simple way to send a POST request with a string of characters to Nginx, that if not present, the Nginx server would send people to a 404?
Use HTTP authentication as per the question Dan has linked to. There is no viable network/IP/firewall mechanism to restrict access.
The HTTP authentication works just fine!

Resources