We are trying to add naked domain redirect to our custom domain. I followed the instructions on https:/ /support.google.com/a/answer/2518373?hl=en
but when I change the domain to redirect from:
http:/ /app-id=,domain=.example.io (which was auto filled)
to http://www.example.io, I get an error saying:
"""
Server error
We are unable to process your request at this time, please try again later.
"""
I'm not able to dig any deeper into the error or what is happening. My A records on the DNS provider point to the IP address specified by the App Engine. I also have SSL on this app, and https://www.example.io works fine. Its only https://example.io that gives me "Error code: ERR_CONNECTION_CLOSED" error.
It seems SSL on naked domains is not currently supported by App Engine. We have a similar issue, so our naked domain redirects to http://www.~ which then redirects to https://www.~
You might like to take a look at (and star) this issue.
Best free SSL redirect service I found was CloudFlare. To get it working:
Add your domain and switch your name servers to CloudFlare (signup process walks you through it)
Once added goto CloudFlare Settings and down to SSL. Change the setting to 'Full SSL (Strict)' this requires you to have a valid cert on the subdomain your redirecting to (SNI works fine).
Go back to your websites list, select the domain again and on the options goto page rules. Add a 'Forwarding' rule that redirects https://yourdomain.com/* to https://www.yourdomain.com/$1 (replace www with any subdomain), make sure the redirect is set to 301.
Save your settings and sit back and wait for everything to propagate.
Done. Free and secure SSL redirection for your naked domain.
As of September 2015, SSL is supported on naked domains by AppEngine.
Related
I've been struggling to find a solution for this issue. Basically I have web application that allows users to sign in with their azure active directory using OpenIdConnect. Everything works perfectly fine on my local. However, when deployed to azure aks, somehow the redirect url changes from https to http when user is authenticated. This causes an exception in azure ad:
AADSTS50011: The redirect URI 'http://example.abc.com/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'c853f6fe-5f4a-436e-b329-ff6da9ab89ab'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
I defined the redirect URI in the application as https://example.abc.com/signin-oidc and no wonder that it does not match. However, I'm struggling to find out why it's happening and how I can resolve it. I'm using .NET 6 and AKS client version 1.22.
Any help would be greatly appreciated. Thank you
AADSTS50011: The redirect URI 'http://example.abc.com/signin-oidc' specified in the request does not match the redirect URIs configured for the application 'c853f6fe-5f4a-436e-b329-ff6da9ab89ab'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
The above error occurs usually when redirect Url in the authentication are not configured in Azure AD like.
Accessing Website from a different address than what you have defined for your application causes an error.
please check if you have made a mistake in the configuration itself.
From your case :
Please make sure you set ssl redirects url to True
Note:
By default controller redirects HTTP clients to 443 port -https ,if it has TLS is enabled
In ingress routing yaml file if it is set to false, try to set it or modify it to true
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
Also as you said you are using .net make sure you have set headers to true.
Please check that header size in 32k in annotations.
nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
Reference:
Error AADSTS50011 - The reply URL specified in the request does not match the reply URLs configured for the application . - Active Directory | Microsoft Docs
I finally figured out the solution for myself. Thanks to the answer in other SOF
Since I'm using .NET 6, all I have to do is
Set the ASPNETCORE_FORWARDEDHEADERS_ENABLED = true AND
Add these two lines suggested from #Venkatesan to my ingress yml
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
Everything works perfectly after that.
Thank you everyone.
On configured AKS there is docker container with application that is using AAD authentication.
Based on this article there is also configured ingress. API is working well.
When I add to Azure Active Directory application registration reply URL with https prefix I receive error "The reply url specified in the request does not match the reply urls configured for the application". And I see that in browser address line redirect_uri is starting with http.
When I add reply URL that is starting with http, then I receive "Exception: Correlation failed".
What I have tried: Add to ingress.yaml setting ingress.kubernetes.io/force-ssl-redirect: "true"
May be there is some way to force ingress run https instead of http, or there might be some AAD redirect configuration? Any ideas?
UPDATE 2: Probably http redirect is because of ADAL.
PS: Was able to find similar topic without an answer
UPDATE3:
I have decided not to use nginx as ingress. Instead I am using now Load balancer. Soon it would be possible to use Azure Application Gateway Ingress Controller
Have you tried this?
By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.
This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.
More information on this on the Ingress documentation link.
You have to make a decision whether to use HTTPS or not. If this is just the start of a development cycle, start without it and get auth to work - but implement HTTPS as soon as possible.
AAD supports both http and https, but of course, the reply urls must be added to the application registration respectively.
As #mihail-stancescu says, ssl-redirect must be set to false, if you choose not to use HTTPS. In addition to this, you also have to ensure that your app does not make the redirect from HTTP to HTTPS.
Using curl with -L -k and -v options will give you a lot of information on what is actually happening with your requests.
When the http/https thing is solved, you have to remove any rewrite annotations you have in your ingress. (e.g. ingress.kubernetes.io/rewrite-target: / should be removed).
Now, if your ingress path to the service in question is e.g. /myservice, then the reply-url should also have that part of the path added ([host]/myservice/signin-oidc) - both in the AAD application registration and in the configuration of your app. (The path in the config should not contain the host)
If you are using https, then you must also have a proper certificate. You can use the free LetsEncrypt (https://letsencrypt.org/) in conjunction with KubeLego (https://github.com/jetstack/kube-lego), where you can find some nice examples on how to implement it.
I am trying to enable HTTPS on my Go App deployed to GAE flex environment. I have my custom domain successfully mapped, and am using Google-managed SSL certificates. I have app.yaml configured to redirect HTTP to HTTPS as follows:
handlers:
- url: /.*
script: _go_app
secure: always
Now there are two problems that I haven't been able to resolve so far.
First, the above configuration is supposed to redirect HTTP traffic to HTTPS, but apparently it is not happening.
Second, when I add https:// in the url box, I see three different behavior on Firefox, Chrome, and Edge. Edge identifies the website as secure, Firefox marks the website as secure connection, but says that it "has blocked parts of this page that are not secure", and surprisingly Chrome marks the website as Not secure (though it says certificate is valid!).
With these symptoms I was wondering if I should take additional steps to make redirecting and SSL work for my website? Specifically, I would like to know with App Engine, and managed SSL enabled:
Should I continue serving pages on HTTP using http.ListenAndServe(..), or need to switch to http.ListenAndServeTLS(..)?
In my Go app should I redirect HTTP to HTTPS? or the above setting is expected to work just fine?
Thanks in advance for your help and advice.
PS:
Trying out with different suggestions, I added Strict-Transport-Security: max-age=31536000; includeSubDomains to handlers' response. Does not seem if this helped with redirection either.
EDIT/PARTIAL ANSWER:
According to this documentation, under Authentication changes, the secure and login handlers are deprecated. The documentation suggests using Strict-Transport-Security or X-Forwarded-Proto instead.
I am using Strict-Transport-Security on the server side to enrich my response header:
func (h *STLHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
h.nextHandler.ServeHTTP(w, req)
}
I was wondering if I am using this header in the right place?
For the second set of my problems I realized I have mixed content on my page. My mixed content was a http link to a set of fonts. When I fixed the mixed content, i.e. changed http to https, both Chrome and Firefox security warnings disappeared. You may also find this page Avoiding the Not Secure Warning in Chrome useful on this matter.
You need to check your app using:
http://[YOUR_PROJECT_ID].appspot.com
Or if you nedd HTTPS:
https://[YOUR_PROJECT_ID].appspot.com
If you want your own certificate you will need to upload it and then be available to use: https://your-domain.tld
From the docs:
For APIs that will be hosted on App Engine flexible environment, you must use the appspot.com domain, and the service name must be in the following format:
YOUR_PROJECT_ID.appspot.com
When you deploy your API to App Engine, a DNS entry with a name in the format YOUR_PROJECT_ID.appspot.com is created automatically.
For APIs that will be hosted on Compute Engine, Kubernetes Engine, or Kubernetes, you must use the cloud.goog domain, and the service name must be in the following format:
YOUR_API_NAME.endpoints.YOUR_PROJECT_ID.cloud.goog
Or you could just put a CDN in front like Cloudflare which will do all the SSL termination for you and if required redirect all HTTP to HTTPS
I have a domain (let's say) example.com and I want to serve its content (mainly static files - client side app) from the naked domain. I also want to accept subdomains, so they will not end in error because of DNS or 404. It is common for users to put www in front of the domain (for whatever reason).
I did set up the custom domains in appengine console, the naked and also the * (wildcard). It shows what DNS records I need to have, so I set them up too... exactly the same, A/AAAA records pointing to appengine IPs and * CNAME to appengine alias (googlehosted).
I have read how it behaves by default on https://cloud.google.com/appengine/docs/domain?csw=1 and I would like to change it a bit. Now the page is accessible from all the domains example.com, www.example.com, blog.example.com etc.
What I would like is to redirect all request going to anything else than the naked domain to the naked domain without adding any script handler.
With Apache and modrewrite the solution is easy, as it has a RewriteCond %{HTTP_HOST} and RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]... but is it possible to do this with app.yaml? I couldn't find it at https://cloud.google.com/appengine/docs/python/config/appconfig.
I don't want to redirect in javascript (doesn't work for images, css, etc) and I don't like the idea of script handler for all the files, as it IMHO needs to have some performance penalty.
So, you seem to want to have any subdomains redirect to your naked domain, without needing to write a handler. While you could use a CNAME wildcard on subdomains in your zone file to direct to "#", the naked domain, this is inadvisable since not every provider supports it. You can read more about this strange edge case in an otherwise very standardized system like DNS here.
While you could use a dispatch file (python doc, but other languages have similar) to catch subdomain requests and send them to a special, simplified "3xx redirect to naked domain" module, short of hosting a GCE instance frontend running Apache, you won't be able to change the user's address bar with the CNAME method, although they will be directed to the IP addresses (A/AAAA records) specified at the apex level of your zonefile ("naked domain"), unless you implement such a module. Apache rewrite rules send exactly such HTTP 3xx responses which redirect the browser to change its URL and request the specified URL (in this case, your naked domain).
I would like to develop an "twitter-like" application where users can showcase their artwork on a simple interface like twitter. Obviously I also want to provide a simple URL for each user (e.g domain.com/myuser) but I found that GAE doesn't allow naked domains anymore so I did a DNS redirect as per google docs http://www.google.com/support/a/bin/answer.py?hlrm=en-in&answer=61057 so when users type domain.com they are redirected to www.domain.com.
The problem is that when they type domain.com/myuser they are redirected to www.domain.com too and the username is lost which is quite annoying so I would like to know if you can recommend me a feasible solution.
Should I catch the referrer URL to find what user was typed on the naked domain ? Is there any other solution ?
How URL forwarding works depends on the provider. If your provider doesn't include the path when sending a redirect, you should find one who does - zoneedit, for instance.
These guys also offer a free service that merely redirects (domain) to www.(domain) when it's IP is listed as an A DNS entry. http://wwwizer.com/