My Instance was working fine with domain and everything but then i made a change in php.ini to upload file size and restarted the instance. Since then i am not able to access my site. I am able to ping to external ip from commandline but when i try to visit the domain or the ip I get the error .
This site can’t be reached . site.com took too long to respond.
Whats strange is that when i access site.com/anyrandomstring . I get page not found error 404, just html no css or anything else loaded. These are my firewall configs.
default-allow-http
http-server
IP ranges: 0.0.0.0/0
tcp:80
Allow
1000
default
default-allow-https
https-server
IP ranges: 0.0.0.0/0
tcp:443
Allow
1000
default
wordpress-1-tcp-443
wordpress-1-tcp-443
IP ranges: 0.0.0.0/0
tcp:443
Allow
1000
default
wordpress-1-tcp-80
wordpress-1-tcp-80
IP ranges: 0.0.0.0/0
tcp:80
Allow
1000
default
default-allow-icmp
Apply to all
IP ranges: 0.0.0.0/0
icmp
Allow
65534
default
default-allow-internal
Apply to all
IP ranges: 10.128.0.0/9
tcp:0-65535, udp:0-65535, 1 more
Allow
65534
default
default-allow-rdp
Apply to all
IP ranges: 0.0.0.0/0
tcp:3389
Allow
65534
default
default-allow-ssh
Apply to all
IP ranges: 0.0.0.0/0
tcp:22
Allow
65534
default
Any idea what is the issue? I have a wordpress website running on that installation.
Related
I have read a lot on GCP's Firewall rules and even got help from a dev-ops person who could not understand why these rules block my home IP from my App Engine Standard F1 instance.
Priority T Action IP range
2000 Allow XX.X.XX.XXX
2001 Allow xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:xxxx // my V6 IP
default Deny *
When adding the V6 IP
I am allowed access but with strange errors, eg. refreshing the page shows a path error: But browsing there (or to any path) loads just fine.
Error: Not Found
The requested URL /feed was not found on this server.
Without the V6 IP (and only the V4 IP allow rule) I cannot access the instance.
How can I whitelist my own IP for access?
As reviewed in the comments, from the test I've made, I can confirm that connections are preferred to be done over IPv6 rather than IPv4.
As pointed out by this answer:
The first thing that a client determines is which protocols are available. ...It will then do a DNS lookup for both the A (IPv4 address) and AAAA (IPv6 address) records. If only one type is returned then it will use that. If both IPv4 and IPv6 addresses are returned the default behaviour depends a bit on the client software. Usually RFC 3484 is used.
According to the official standards it should prefer IPv6...
You can confirm this behaviour by checking into the logs the IP address that reaches the service of which you are testing the firewall rules (eg. default service); service, using the Logs Viewer.
Look up for a Log entry that matches a request you made (eg. to the /
root directory).
To show the latest logs, click Jump to now.
Under httpRequest on the field remoteIp you could check the IP address that your machine is using to access App Engine.
In order to do this, delete the rules you've created and change the default rule to Allow.
I read into this article:
How to properly configure VPC firewall for App Engine instances?
This was a huge help in getting the firewall setup in the first place - so for those who have found this and are struggling with that - follow along. https://cloud.google.com/appengine/docs/flexible/python/using-shared-vpc is a good reference, as there are some accounts that need permissions "added" to make the magic happen.
My issue - I have two containerized services running in AppEngine one default (website), one API. I've configured the API to run in a VPC/subnet separate from the default created one. I have not made any changes to the firewall settings directly hanging off the App Engine settings as those are global, and do not let you target a specific instance - and the website needs to remain public, while the API should require whitelisting access.
dispatch.yaml for configuring subdomain mapping
dispatch:
- url: "www.example.com/*"
service: default
- url: "api.example.com/*"
service: api
API yaml settings:
network:
name: projects/mycool-12345-project/global/networks/apis
subnetwork_name: apis
instance_tag: myapi
Create a VPC network
name - apis
subnet name - apis
creation mode - automatic
routing mode - regional
dns policy - none
max MTU - 1460
Add firewall rules
allow 130.211.0.0/22, 35.191.0.0/16 port 10402,8443 tag aef-instance priority 1000
deny 0.0.0.0/0 port 8443 tag myapi priority 900
allow 130.211.0.0/22, 35.191.0.0/16 port 8443 tag myapi priority 800
this works - but I cannot specify the "white list IP".
if I do the following and disable the "allow 130 / 35 networks 8443/800"
allow my.ip.number.ihave port 8443 tag myapi priority 800
it never trips this rule, it never recognizes my IP.
what change / how do you configure the firewall in the VPC so it receives the public IP. When I reviewed the logs, it said it denied my request because my IP address was 35.x.x.x.
I would recommend to contact GCP support in that case. If I'm not wrong, you can directly whitelist the IP addresses at App Engine level, but it's not a standard procedure
I have a question regarding IP Address in Google App Engine. I know there is no way to have a static IP-address, but my client have setup a Custom Domain with some IP-address showing up. My problem is:
There is an endpoint(API) that they are connected on, the problem is that the destination requires IP-address and PORT to open in their firewall-policy. Since there is no "Static IP" on Google App Engine, can i use those IP-address showing under "data" in Google App Engine in Custom Domains?
Because when i enter the domain in my web-browser i see the same IP listed in Custom Domain. Can i send over those IP-addresses than the Pool of IP by running: nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8Because those domain listed in nslookup is not shown in the network (remote address)
Thanks!
The result of running nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8 is not static. Google may introduce new _cloud-netblocks entries at any time.
In the Google Cloud documentation section Static IP Addresses and App Engine apps is the recommended approach to retrieve the IPs. You will have to run:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
And then, from the response , you'll have to query each of the _cloud-netblocksN listed. Let take this query response as an example:
Non-authoritative answer:
_cloud-netblocks.googleusercontent.com text = "v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com ?all
There's 3 _cloud-netblocksN listed, so you'll have to query them:
nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 8.8.8.8
The SPF records returned from the query of each of those above entries will be IP ranges that you can use for App Engine.
The static IP address for AppEngine is now* possible using serverless NEG with Load Balancer.
See more on https://stackoverflow.com/a/62660953/4185100
Using this method, it is also possible to configure multiple domains/sub-domains with HTTPS load balancer which points to internal serverless resources (different AppEngine services, Cloud functions, etc)
Trying to connect to a react app that is running inside a Virtualbox wit Ubuntu 18.04.
Did the network config on virtualbox by adding a second network configured via NAT and added all my forwarded ports.
Ports forwarded:
Server ports listening:
Result when trying to connect to port:
My problem is that all the other ports that I am forwarding work perfectly except for 3000 or 3001, which are both react apps.
What am I doing wrong?
You should specify Host IP and Guest IP in port forwarding.
To define Guest IP you need to call ifconfig command via console and find inet addr. In my case it equals to 10.0.2.15.
Your Host IP is 192.168.0.6 based on the screenshot above.
I tried using these guides:
https://cloud.google.com/dns/quickstart
https://cloud.google.com/dns/migrating
When I ping my domain, I get a response from my compute-engine external IP address, but my WebApp is not loading.
Am I missing something? I get ERR_CONNECTION_REFUSED
There is not enough information to definitely say what the issue is, but here are some suggestions to troubleshoot.
Have your registrar's name server records been updated?
Make sure the following consistently returns Google's name servers for your zone
$ dig +short NS example.com
Have Google's name server propagated the change?
List your Google name servers -
$ gcloud dns managed-zones describe examplezonename
Verify they have propagated -
$ dig example.com #your_zone_nameserver
Are your A and CNAME records set correctly?
Next you should verify that the DNS reply returns the correct A and CNAME entries.
$ dig example.com A
$ dig example.com CNAME
Have you configured your IP and Firewall settings correctly?
You can follow the troubleshooting guide here or update your question with more details.
It appears that your web server may not be set up correctly and there does not seem to be any process listening on either port 80 or 443.
$ nmap queguia.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-03 12:16 PDT
Nmap scan report for queguia.com (35.184.29.62)
Host is up (0.15s latency).
rDNS record for 35.184.29.62: 62.29.184.35.bc.googleusercontent.com
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
Caveats
Please also keep in mind that DNS entries are cached and it can take some time for your changes to take effect.
Pings of your external IP are most likely answered by a load balancer and not your instance specifically.
Google Enterprise Support:
All App Engine services run by default (domain.appspot.com). In order to map your service on your own domain name, please read the following article https://cloud.google.com/appengine/docs/standard/python/console/using-custom-domains-and-ssl