Google is now offering, in beta, a managed security service for automated deployment of SSL certificates to GAE apps, which are currently signed by Let's Encrypt. The managed security service is a really good idea, particularly for Windows users, who cannot easily generate SSL certificates through the Let's Encrypt service.
I currently have one custom domain mapping to my GAE app plus its www alias (which means that both 'customdomain.com' and 'www.customdomain.com' map to my app). Also, I have enabled managed security for both of them.
Unfortunately, an HTTPS connection is enforced only if one accesses my app using the www alias (www.customdomain.com). If one does not determine a subdomain (customdomain.com), the connection served is insecure. Of course, one can enforce an HTTPS connection (by adding 'https://' before 'customdomain.com').
Why is that happening? Is that a service bug?
As of September 2017, Google Cloud Platform has introduced Managed SSL which should implement SSL to your custom domain by default.
Below is an extract from this instructional post:
Now, when you build apps on App Engine, SSL is on by default — you no
longer need to worry about it or spend time managing it. We’ve made
using HTTPS simple: map a domain to your app, prove ownership, and App
Engine automatically provisions an SSL certificate and renews it
whenever necessary, at no additional cost. Purchasing and generating
certificates, dealing with and securing keys, managing your SSL cipher
suites and worrying about renewal dates — those are all a thing of
the past.
You can specify the paths that you wish to be secured inside the app.yaml:
handlers:
- url: /.*
script: main.app
secure: always
Related
I purchased a custom domain mydomain.com w/Google Domains last year. Until earlier this week, I was hosting a small single-page React app on that domain (in a Cloud Storage bucket) that connected to a GAE Flask app backend. Wasn't using SSL anywhere. All was well.
I now wish to use SSL. Since I'm new to all of this stuff, I followed the documentation to map my custom domain and secure it with SSL using Google-managed SSL certs. During this process, I created my first load balancer in GCP, then updated my domain's DNS entries for # A and www A to the LB's IP. The guides didn't say anything about changing the # AAAA entries, so I left them in place. Cloud CDN is disabled. Google Domains DNS Settings:
When creating the Google-managed SSL cert, I entered both mydomain.com and www.mydomain.com since I want both addresses to be secured w/SSL. After a few hours, the domain status for www.mydomain.com became active, but the status is FAILED_NOT_VISIBLE for mydomain.com. Guessing this is the source of my problems? Google SSL Cert Statuses:
Troubleshooting tips for this error:
The SSL Certificate isn't attached to the load balancer's target proxy. To resolve this issue, update the load balancer configuration. Done, and confirmed via both the GCP UI and the gcloud cli.
The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to the load balancer's IP address. Thought I did this too, see my GAE custom domain settings below:
Attempting to load to mydomain.com or www.mydomain.com in the browser yields:
This site can’t provide a secure connection
www.mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
It's been ~40hrs since I created the LB and updated the DNS settings for my domain, so I suspect the issue is my config and not DNS propagation. Where am I going wrong?
EDIT
Editing to clarify a few critical things:
I'm hosting my UI as a static website in a Google Cloud Storage bucket. Cloud Storage doesn't support HTTPS on its own, and therefore requires an HTTPS load balancer to work with custom domains.
If I wanted to go down this path, I'd need to ensure the load balancer pointed to my Cloud Storage bucket, which wasn't mentioned in my original post.
To roll back all changes from this SSL attempt, I'd need to update the # A DNS entry to the GAE IP, then update the www CNAME entry to c.storage.googleapis.com.. Note this CNAME entry is for Cloud Storage, not for GAE.
I ended up aborting the SSL idea and going with #3 (for now). The app in question is for a personal project that doesn't deal with any sensitive info, so SSL really isn't necessary.
You’ve gone through the process and receive the message:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I’ve found some information for you. The main points are listed below.
Verify SSL Status of Website,
Check for Certificate Name Not Matching
Verify TLS Version
Verify RC4 Cipher Suite
Manually Inspect Security Certificate
There is more detail in this document here
What is the correct way to map a custom domain to Google App Engine project?
I've added the custom domain, set up all the DNS records etc. and it is working! But how do I enforce HTTPS only? (Like the custom domain generated does)
From reading around many posts I have seen secure: always in a handler which I have tried, but doesn't seem to work (saw some comments that it doesn't work on flex environments?)
So how can I correctly map my domain to a flex php environment being HTTPS only?! Seems such a simple thing to want to be able to do!
While being somewhat related to a custom domain (for example the SSL certificate used by HTTPS being tied to the domain) the HTTPS-only behaviour is not really an attribute of the custom domain mapping operation, it's just a behaviour of the app itself (regardless of being mapped to a custom domain or not).
For standard environment GAE apps part of the HTTPS-only behaviour is an automatic http -> https redirection performed by the GAE infra on behalf of the app if secure: always is set in the app.yaml configuration file.
But that configuration has, indeed, been deprecated for the flexible environment GAE apps. The PHP-specific deprecation note can be found at app.yaml changes:
Secure handlers
The secure setting under handlers is now deprecated for the App
Engine flexible environment. If you need SSL redirection, you can
update your application code and use the X-Forwarded-Proto header to
redirect http traffic. You can also use the HTTP Strict Transport
Security response header.
You'll also note that there is no mentioning of secure (or handlers for that matter) in the app.yaml Configuration File doc.
So you need to take care of the http -> https redirection inside your app code (or the framework you use for it, if any and if it has such capability), possibly following the suggestions from the above quote. I can't really help with details on this as I'm not a PHP user.
My website runs on Google App Engine and is so far accessed via HTTP. I would like to change that to HTTPS. However, using the appspot.com domain instead of my own domain is not an option for me.
Is there any straightforward way to do so without having to deal with manually managing (updating etc.) certificates?
Now, when you build apps on App Engine, SSL is on by default — you no longer need to worry about it or spend time managing it. We’ve made using HTTPS simple: map a domain to your app, prove ownership, and App Engine automatically provisions an SSL certificate and renews it whenever necessary, at no additional cost. Purchasing and generating certificates, dealing with and securing keys, managing your SSL cipher suites and worrying about renewal dates — those are all a thing of the past.
To get started with App Engine managed SSL certificates, simply head to the Cloud Console and add a new domain. Once the domain is mapped and your DNS records are up to date, you’ll see the SSL certificate appear in the domains list. And that’s it. Managed certificates is now the default behavior — no further steps are required!
https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html
No. You have to buy and upload your own certificate. The process is quite straightforward, though.
We are starting a very large web based service project. We are trying to decide what hosting environment to use. We would really like to use Google App Engine for scalability reasons and to eliminate the need to deal with servers ourselves.
Secure logins/registrations is very important to us, as well as using our own domain. Our target audience is not very computer savvy. For this reason, we don't want to have the users have to sign up with OpenID as this can't be done within our site. We also do not want to force our customers to sign up with Google.
As far as I can see, I am out of luck. I am hoping to have a definite answer to this question. Can I have an encrypted login to our site accessed via our domain, without having to send the customers to another site for the login (OpenID/Google).
Thanks.
The hardest part is getting around the cookie issue. While you can do secure and custom logins against https://yourdomain.appspot.com, you cannot set a cookie there that will work on http://yourdomain.com.
Here is what I propose:
When you need to log the user in, send them to https://yourdomain.appspot.com. If they enter the credentials properly, create a one-time token and place it either in the datastore or in memcache. Give it a lifetime of a few seconds.
Then redirect the user back to http://yourdomain.com/authenticate?token=mytoken (obviously substitute the names as appropriate), check to make sure that the token is valid and has not expired, and if all is clear, set the appropriate cookies and expire the token.
I think that'd work just fine. Hope it helps!
As of June 27, 2012, App Engine supports SSL for custom domains.
http://googleappengine.blogspot.com/2012/06/google-app-engine-170-released-at.html
There is nothing stopping you from creating your own authentication/registration mechanism with Google App Engine. The only problem is that Google App Engine currently only supports HTTPS via https://yourid.appspot.com and not your Google Apps Domain (i.e. https://www.foobar.com). However, this is on the product roadmap for future support (SSL for third-party domains). Note, also on the product roadmap is built-in support for OAuth & OpenID.
Update: Another option may be to use a proxy server (like Apache with mod_proxy) and map your domain to the proxy server and then the proxy server can proxy the HTTP and HTTPS requests to Google App Engine. The requests could be proxied to the appspot.com domain behind the scenes. I haven't actually done this, but I believe it should work. However, this would give you a single point of failure at the proxy server which basically defeats the purpose of Google App Engine's high-availability and scalability. This would definitely just be a short-term solution until Google supports SSL for third-party domains or OpenID.
Depending on whether your threat model can accept a non-encrypted link on the "last hop" to GAE, you can use a proxy to handle SSL from the browser. Here's a HOWTO I wrote up on using CloudFlare to get always-on SSL:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
This isn't structurally any different than the way SSL from Google will work, it's just that Google-provided SSL will terminate within G's network rather than just outside it. If you're trying to protect against Firesheep, CloudFlare (or any other SSL proxy) will do fine. If you're worried about snoops on the trunk connection between CF and Google, you may want a more sophisticated solution.
Since App Engine is so locked down I assume there is no way to setup an SSL certificate to allow credit card payments. In the absence of this, how is it possible to secure handle payments in an App Engine app?
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs says that
<ssl-enabled>true</ssl-enabled>
can be set in your appengine-web.xml file with *.appspot.com subdommains. Google had a typo in their opening tag on that page, just FYI.
For Google Apps you can't use HTTPS at all, but for appspot you can.
As far as using your own cert, you can't! For appspot, Google's cert is
not signed for your web-app's specific domain so it will cause a browser pop-up, but if accepted the page will load.
As of today, App Engine supports SSL on your own domain. See:
https://developers.google.com/appengine/docs/ssl
Note that there are two options. The more expensive (VIP - $99 per month) will work with all browsers, whereas the cheaper (SNI - $9 per month) doesn't work on some variations. See here:
http://en.wikipedia.org/wiki/Server_Name_Indication#Support
You can also use e.g. Cloudflare.com to front your app and provide SSL. Currently this is HTTPS to Cloudflare and then normal HTTP to App Engine. This will protect from any drive-by hacks but would be possible to intercept should an attacker somehow get between CF and GAE. This technique is described here:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine