Easiest way to have proper HTTPS with a custom domain on GAE? - google-app-engine

My website runs on Google App Engine and is so far accessed via HTTP. I would like to change that to HTTPS. However, using the appspot.com domain instead of my own domain is not an option for me.
Is there any straightforward way to do so without having to deal with manually managing (updating etc.) certificates?

Now, when you build apps on App Engine, SSL is on by default — you no longer need to worry about it or spend time managing it. We’ve made using HTTPS simple: map a domain to your app, prove ownership, and App Engine automatically provisions an SSL certificate and renews it whenever necessary, at no additional cost. Purchasing and generating certificates, dealing with and securing keys, managing your SSL cipher suites and worrying about renewal dates — those are all a thing of the past.
To get started with App Engine managed SSL certificates, simply head to the Cloud Console and add a new domain. Once the domain is mapped and your DNS records are up to date, you’ll see the SSL certificate appear in the domains list. And that’s it. Managed certificates is now the default behavior — no further steps are required!
https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html

No. You have to buy and upload your own certificate. The process is quite straightforward, though.

Related

Google App Engine managed security only works for 'www' alias

Google is now offering, in beta, a managed security service for automated deployment of SSL certificates to GAE apps, which are currently signed by Let's Encrypt. The managed security service is a really good idea, particularly for Windows users, who cannot easily generate SSL certificates through the Let's Encrypt service.
I currently have one custom domain mapping to my GAE app plus its www alias (which means that both 'customdomain.com' and 'www.customdomain.com' map to my app). Also, I have enabled managed security for both of them.
Unfortunately, an HTTPS connection is enforced only if one accesses my app using the www alias (www.customdomain.com). If one does not determine a subdomain (customdomain.com), the connection served is insecure. Of course, one can enforce an HTTPS connection (by adding 'https://' before 'customdomain.com').
Why is that happening? Is that a service bug?
As of September 2017, Google Cloud Platform has introduced Managed SSL which should implement SSL to your custom domain by default.
Below is an extract from this instructional post:
Now, when you build apps on App Engine, SSL is on by default — you no
longer need to worry about it or spend time managing it. We’ve made
using HTTPS simple: map a domain to your app, prove ownership, and App
Engine automatically provisions an SSL certificate and renews it
whenever necessary, at no additional cost. Purchasing and generating
certificates, dealing with and securing keys, managing your SSL cipher
suites and worrying about renewal dates — those are all a thing of
the past.
You can specify the paths that you wish to be secured inside the app.yaml:
handlers:
- url: /.*
script: main.app
secure: always

GAE custom domain wildcard subdomain issues

Whiles playing around with GAE custom domain setup in hopes of building a multi-tenant application. I noticed that wildcard sub domains don't quit work as documented.
for example, if one configures domain *.dev.example.com *.qa.example.com you would expect dev.example.com to automatically serve default services deployed in appengine, I however noticed that recently I would have to explicitly enter default.dev.example.com. This however is not what has been documented.
Anyone understands why this is now the case? the domains are verified with DNS configuration on Google DNS service. All works as expected, meaning that I can reach all other services on domain, but default service is not automatically been served.
After various attempts, I eventually purchased some Google support time. And the solution to this is that you need to create and map both a wildcard domain and naked domain. Therefore, one will need to have both
*.dev.example.com and dev.example.com
This is of course tedious, the good news is that Google is running alpha testing on API that allows domain mapping to happen automatically, register at here
Soon multi tenancy application deployments will require no manual intervention.

Is it possible to have https://yourdomain.com on an App Engine site?

I know the Google App Engine docs say you can only have HTTPS on your foo.appspot.com domain, not with a custom domain.
But is it possible (and safe) to host a custom domain somewhere else, and set it up to proxy all HTTPS requests to https://foo.appspot.com?
If so, how would you recommend setting it up? And would it be much slower, compared to using https://foo.appspot.com directly?
Yes, it's possible to do this. It's secure if you trust your proxy and you use SSL from the proxy to the app. It will be noticeably slower, since there's a longer path between your user and your app. In addition, unless you get multiple proxies, all your traffic will have to go via a single global location, whereas the appspot domain is served from frontends all round the globe.

Secure login on your domain with Google App Engine

We are starting a very large web based service project. We are trying to decide what hosting environment to use. We would really like to use Google App Engine for scalability reasons and to eliminate the need to deal with servers ourselves.
Secure logins/registrations is very important to us, as well as using our own domain. Our target audience is not very computer savvy. For this reason, we don't want to have the users have to sign up with OpenID as this can't be done within our site. We also do not want to force our customers to sign up with Google.
As far as I can see, I am out of luck. I am hoping to have a definite answer to this question. Can I have an encrypted login to our site accessed via our domain, without having to send the customers to another site for the login (OpenID/Google).
Thanks.
The hardest part is getting around the cookie issue. While you can do secure and custom logins against https://yourdomain.appspot.com, you cannot set a cookie there that will work on http://yourdomain.com.
Here is what I propose:
When you need to log the user in, send them to https://yourdomain.appspot.com. If they enter the credentials properly, create a one-time token and place it either in the datastore or in memcache. Give it a lifetime of a few seconds.
Then redirect the user back to http://yourdomain.com/authenticate?token=mytoken (obviously substitute the names as appropriate), check to make sure that the token is valid and has not expired, and if all is clear, set the appropriate cookies and expire the token.
I think that'd work just fine. Hope it helps!
As of June 27, 2012, App Engine supports SSL for custom domains.
http://googleappengine.blogspot.com/2012/06/google-app-engine-170-released-at.html
There is nothing stopping you from creating your own authentication/registration mechanism with Google App Engine. The only problem is that Google App Engine currently only supports HTTPS via https://yourid.appspot.com and not your Google Apps Domain (i.e. https://www.foobar.com). However, this is on the product roadmap for future support (SSL for third-party domains). Note, also on the product roadmap is built-in support for OAuth & OpenID.
Update: Another option may be to use a proxy server (like Apache with mod_proxy) and map your domain to the proxy server and then the proxy server can proxy the HTTP and HTTPS requests to Google App Engine. The requests could be proxied to the appspot.com domain behind the scenes. I haven't actually done this, but I believe it should work. However, this would give you a single point of failure at the proxy server which basically defeats the purpose of Google App Engine's high-availability and scalability. This would definitely just be a short-term solution until Google supports SSL for third-party domains or OpenID.
Depending on whether your threat model can accept a non-encrypted link on the "last hop" to GAE, you can use a proxy to handle SSL from the browser. Here's a HOWTO I wrote up on using CloudFlare to get always-on SSL:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
This isn't structurally any different than the way SSL from Google will work, it's just that Google-provided SSL will terminate within G's network rather than just outside it. If you're trying to protect against Firesheep, CloudFlare (or any other SSL proxy) will do fine. If you're worried about snoops on the trunk connection between CF and Google, you may want a more sophisticated solution.

Is it possible to install/access SSL for my Google App Engine app?

Since App Engine is so locked down I assume there is no way to setup an SSL certificate to allow credit card payments. In the absence of this, how is it possible to secure handle payments in an App Engine app?
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs says that
<ssl-enabled>true</ssl-enabled>
can be set in your appengine-web.xml file with *.appspot.com subdommains. Google had a typo in their opening tag on that page, just FYI.
For Google Apps you can't use HTTPS at all, but for appspot you can.
As far as using your own cert, you can't! For appspot, Google's cert is
not signed for your web-app's specific domain so it will cause a browser pop-up, but if accepted the page will load.
As of today, App Engine supports SSL on your own domain. See:
https://developers.google.com/appengine/docs/ssl
Note that there are two options. The more expensive (VIP - $99 per month) will work with all browsers, whereas the cheaper (SNI - $9 per month) doesn't work on some variations. See here:
http://en.wikipedia.org/wiki/Server_Name_Indication#Support
You can also use e.g. Cloudflare.com to front your app and provide SSL. Currently this is HTTPS to Cloudflare and then normal HTTP to App Engine. This will protect from any drive-by hacks but would be possible to intercept should an attacker somehow get between CF and GAE. This technique is described here:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine

Resources