I created a topic which I subscribe to using a push endpoint. The endpoint is a simple AppEngine web service. The Google PubSub documentation states that endpoints must be secured by HTTPS.
I am not receiving any traffic to the push endpoint. The AppEngine web service shows no requests. I've verified through the Google PubSub dashboard that messages are being published on the topic successfully. The dashboard shows unreachable_ssl_error for push subscriptions. Why is Google PubSub reporting this error?
When I try to access the SSL AppEngine endpoint via a browser I receive an SSL cert error also. Is this normal for AppEngine sites?
As documented at https://cloud.google.com/appengine/kb/general#https , SSL is supported on App Engine, but in a somewhat peculiar way.
Specifically, and I quote...:
Note: After April 2013 Google does not issue SSL certificates for
double-wildcard domains hosted at appspot.com (i.e. *.*.appspot.com).
If you rely on such URLs for HTTPS access to your application, change
any application logic to use "-dot-" instead of ".". For example, to
access version v1 of application myapp use
https://v1-dot-myapp.appspot.com.
Also look at the previous paragraph at this same URL about the need for secure in app.yaml and a link to language-specific instructions on exactly how to configure things, e.g https://cloud.google.com/appengine/docs/python/config/appconfig#Python_app_yaml_Secure_URLs if you're programming in Python.
Related
I have an API running in Google App Engine and I want to introspect HTTP POST body to reject poorly formed calls before it hits my API running in app engine. Is there a way to front an App Engine application whereby I can introspect the URI, the POST body and return a 400 without it actually being processed by my code running in App Engine? Please let me know, thanks.
If you want to inspect HTTP, then you will need to write a proxy application to do so. Neither the Google Cloud Load Balancer nor App Engine support hooking HTTP requests.
Proxies have the MITM (Man In The Middle) problem in that HTTP traffic is often encrypted. You will not be able to inspect that traffic unless your proxy is the endpoint. If you implement your proxy with Apache or Nginx then you can use the ModSecurity project.
Basically, you want to implement a WAF. Google offers Cloud Armor which supports inspecting traffic via Cloud Armor rules.
I'm trying to configure my Google App Engine instance with Cloudflare for Saas, and more precisely Cloudflare's SSL for SaaS offering. The objective being that I can provide to my customer a "custom domain" (also known as "vanity domain"), such that they don't go to dashboard.mywebsite.com, but instead app.customerwebsite.com.
Configuration part
To make sure that my App Engine instance is correctly serving content on dashboard.mywebsite.com, I've made the following:
On Google Cloud side:
I've configured the custom domain dashboard.mywebsite.com.
I've let Google manage the SSL configuration (no custom key/certificate)
Here is my app.yaml configuration file:
runtime: nodejs14
env_variables:
NODE_ENV: 'production'
basic_scaling:
max_instances: 10
idle_timeout: 5m
On Cloudflare side:
I've updated the DNS records so that dashboard.mywebsite.com is perfectly working
I've configured the SSL on the Full mode (while I've tried with Flexible as well - both work)
I waited for a few hours and I confirm that dashboard.mywebsite.com resolves correctly and serves my content (from Google App Engine).
Next, custom domains
According to Cloudflare documentation, I had to register the fallback origin (i.e. dashboard.website.com) and then configure a custom hostname (e.g. app.customerwebsite.com). Which I did.
Now, according to Cloudflare documentation again, my customer has to create a CNAME record. Which I did with a domain of mine:
app.customerwebsite.com CNAME dashboard.mycompany.com
The issue
I waited a few hours again. Then, when I open app.customerwebsite.com in my browser, it shows a Google 404 error page instead of my dashboard. Which makes me think that Cloudflare successfully "redirects" the traffic to Google, but App Engine refuses to serve it. Probably because it doesn't know app.customerwebsite.com?
Any thoughts that would help?
As you noticed, the issue is not related to Cloudflare, but App Engine. The problem with your configuration is that, when App Engine receives a request, based on the Host header, it forwards the request to the right instance.
App Engine lets you map any custom domains that has been previously validated by Google. But in your situation, that would mean you have to register each custom domain of your customers on your App Engine instance. That's too cumbersome (if even possible).
What you need to do instead is the following:
enable a static IP address with Google Cloud
change your DNS record from dashboard CNAME ghs.googlehosted.com to dashboard A YOUR_IP_ADDRESS
configure a Google Cloud Load Balancer to map requests received on that IP address to your App Engine instance.
Google's documentation has a great guide on how to setup a load balancer with Cloud Run. By changing a few settings it works great with App Engine. As an extra help, below is the configuration details of our load balancer that allows us to provide vanity domains / custom domains to our customers through Google Cloud:
Again, the load balancer is here responsible to map all requests received by your IP address (no matter the Host header) straight to your App Engine instance.
As a best practice, it might be useful to push a dispatch.yaml file to your instance:
dispatch:
- url: '*/*'
service: default
Which tells App Engine to send all requests to the default service. It works a bit like a wildcard virtual hosts on an Apache server.
I created a Google Pub/Sub push subscription which points to a Google App Engine endpoint, but GAE is not receiving anything.
The messages are being published (I can see it on the Pub/Sub console), but never acknowledged.
The endpoint URL should be correct since I made my GAE endpoint public and tested using Postman.
Does Google Pub/Sub not support calling Google App Engine endpoints?
Or I'm I missing something here?
Appreciate it someone could help with this.
For a message to be acknowledged, it means it has to be received by the subscriber. How are you trying to do this? I ask because GAE (at least GAE standard) doesn't support streaming which means you can't have an indefinitely open connection listening for messages from pubsub.
Yes Google Pub/Sub supports calling to Google App Engine endpoints. I referred to this documentation.
As per the document, I used App Engine Flex Environment with Pub/Sub push subscription and I am able to fetch the messages that were published from Pub/Sub to the endpoint.
You can refer to the below mentioned steps :
Create one application using App Engine Flex Environment by referring to this document.
Deploy the application to GCP .
The files needed for application deployment are app.yaml, requirements.txt, main.py and index.html file inside a template folder.
Folder structure:
Demo→
app.yaml
requirements.txt
main.py
templates→
index.html
Provide the Pub/Sub topic name and token id ( should be the same as Pub/Sub push endpoint token id ) in the app.yaml file.
env_variables:
PUBSUB_TOPIC: your-topic
PUBSUB_VERIFICATION_TOKEN: 1234abcd
Run gcloud app deploy on the demo directory.
After the application is deployed, you will get an endpoint URL with the format : https://PROJECT_ID.REGION_ID.r.appspot.com
Example: https://mydemoproject.uc.r.appspot.com
Create a Pub/Sub topic and subscription and make the delivery type as push.
We need to provide a push endpoint with the format : https://mydemoproject.uc.r.appspot.com/pubsub/push?token=1234abcd
When an application is deployed in App Engine we can access that application at - https://PROJECT_ID.REGION_ID.r.appspot.com
The messages will be received by any of the instances of your application deployed in App Engine.
SSH into your instances and use the App Engine endpoint URL in the VM.
Output of instance 1:
Output of instance 2:
I've followed the instruction and now I can access my GAE application with http://www.mydomain.com, but http://mydomain.com is not accessible - google (!) returns error 404. What I've missed in the setup?
Google App Engine doesn't support naked domains, you need to forward request from http://mydomain.com to http://www.mydomain.com.
From this question I learned that Google App Engine does not currently support SSL on "custom domains" (at least not as of June 2010, when that question was asked).
Does this mean if I want to host my GAE app on www.mydomain.com, I cannot use SSL?
A few days ago it comes into tests.
Priority:
It is at the top of the Features on Deck list.
http://code.google.com/appengine/docs/roadmap.html
Simultaneous serving:
A custom domain hosted app such as http://www.mydomain.com can still be accessed on its ssl appspot subdomain such as https://yourapp.appspot.com
Issue:
http://groups.google.com/group/google-appengine/browse_thread/thread/844dc97fbfc57bab/0c8651f00072f9ea?lnk=gst&q=ssl#0c8651f00072f9ea
(As the others on here have said) SSL is not currently supported for your own domain. It is aparently on it's way but has been for some time, I believe it is currently only available to a select few Google App Engine for Business customers.
The temporary solution which many (myself included) are using is to setup a reverse proxy from another hosting service (Amazon EC2 in my case) to route SSL traffic.
If your app suits the situation where your URLs are not of importance, you could setup an SSL site somewhere and access your https://xxx.appspot.com version from within an iframe
Either way until GAE offically supports SSL via your Google Apps domains, you will need an external service to workaround it.
Custom SSL is available for App Engine since 27 Jun 2012.
You can setup it from your domain's control panel:
https://developers.google.com/appengine/docs/ssl
All secure traffic with Google App Engine must be served from your appspot.com domain (https://your-app-id.appspot.com). If you are serving your app off of a Google Apps domain, you must direct all secure traffic through your app's appspot domain.
This is what is written in google app engine documentation. That means. SSL is supported on appspot.com domain
You can get SSL to work on your custom domain hosted on AppEngine, however you need to run a reverse proxy that can modify the host header to do so. If you want to setup a reverse proxy yourself, you can do so following these instructions:
http://radomirml.com/2011/01/30/reverse-proxy-for-gae-application-using-nginx-and-ssl
Alternatively, you can use a reverse proxy service like CloudFlare. The process of getting SSL to work with an appspot.com domain is documented on the CloudFlare Blog:
http://blog.cloudflare.com/ssl-on-custom-domains-for-appengine-and-other
You can use wwwizer.com - it is a reverse proxy service with SSL.
You get an individual IP and it is showing your app both on http and https ports. It is cheaper and easier than hosting the whole server yourself.
This is my service, so, yes, this is blatant advertising :-)
Here's a HOWTO I wrote up explaining how to do SSL on your custom domain using CloudFlare:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine
Since Sdk 1.7.0, released at Google I/O, developers can serve their applications via HTTPS on custom domains using both SNI (Server Name Indication) and VIP (Virtual Ip) based SSL.