Google Glass Java starter project -
How to enable callback to an Amazon ec2 instance when OAuth does not allow Raw IP addresses ?
I have deployed the starter code to jetty running on an AWS ec2 instance.
Given only the ip address, I created a new client id in API console to use with this instance, and updated the OAuth properties file.
When I hit the index.jsp, I got the following error message,
Error: invalid_request
Invalid parameter value for redirect_uri: Raw IP addresses not allowed: http://xx.xxx.xx.xxx:8080/oauth2callback
I have even tried URL Shortening with gool.gl and bitly, which lead to the same error message.
So what's the best work-around?
Like the error message says: Raw IPs are not allowed for OAuth 2.0 redirects.
To resolve this issue, specify a hostname. Amazon provides a really long hostname for every instance that is spun up. That will work fine. If you would like something prettier, you can point any domain or subdomain to that IP using a DNS A record.
Related
Our AppEngine app is connecting to a remote service which requires a VPN and also required me to add entries to the hosts file on my local machine in order to connect to their endpoints.
e.g.
10.200.30.150 foo.bar.com
This is working fine when running the app locally, but I can't figure out how to set this up on Google Cloud to work once deployed.
I can't use the IP addresses directly because it errors that the IP is not on the cert's list.
How do I map the host names to the IPs in Google Cloud so that AppEngine can use them?
From the error mentioned in the comment I suspect connecting directly through the IP fails because the certificate doesn't recognize the IP to DNS mapping as valid and therefore the secure connection setup breaks. Based on the requirements of connecting to the API by VPN and tweaking the hosts mapping there are few things you may try.
The simplest approach that may work would be using a Google Compute Engine VM instance, since there you would able to manipulate the etc/hosts file and replicate the local machine setup. This VM could be used either as the main app service or as a proxy from App Engine to the 3rd party API endpoint. To go that route I would suggest taking a look at these two posts which explain how to change the etc/hosts file on GCE (Changing the file once wouldn't work as the VM periodically overrides it, see the posts for cronjob like workaround).
Separately, as your app runs in App Engine flexible environment there is the chance to provide a docker container with the app packaged. It may be possible to set the workaround above in the docker file and have it working in App Engine too.
I purchased a custom domain mydomain.com w/Google Domains last year. Until earlier this week, I was hosting a small single-page React app on that domain (in a Cloud Storage bucket) that connected to a GAE Flask app backend. Wasn't using SSL anywhere. All was well.
I now wish to use SSL. Since I'm new to all of this stuff, I followed the documentation to map my custom domain and secure it with SSL using Google-managed SSL certs. During this process, I created my first load balancer in GCP, then updated my domain's DNS entries for # A and www A to the LB's IP. The guides didn't say anything about changing the # AAAA entries, so I left them in place. Cloud CDN is disabled. Google Domains DNS Settings:
When creating the Google-managed SSL cert, I entered both mydomain.com and www.mydomain.com since I want both addresses to be secured w/SSL. After a few hours, the domain status for www.mydomain.com became active, but the status is FAILED_NOT_VISIBLE for mydomain.com. Guessing this is the source of my problems? Google SSL Cert Statuses:
Troubleshooting tips for this error:
The SSL Certificate isn't attached to the load balancer's target proxy. To resolve this issue, update the load balancer configuration. Done, and confirmed via both the GCP UI and the gcloud cli.
The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to the load balancer's IP address. Thought I did this too, see my GAE custom domain settings below:
Attempting to load to mydomain.com or www.mydomain.com in the browser yields:
This site can’t provide a secure connection
www.mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
It's been ~40hrs since I created the LB and updated the DNS settings for my domain, so I suspect the issue is my config and not DNS propagation. Where am I going wrong?
EDIT
Editing to clarify a few critical things:
I'm hosting my UI as a static website in a Google Cloud Storage bucket. Cloud Storage doesn't support HTTPS on its own, and therefore requires an HTTPS load balancer to work with custom domains.
If I wanted to go down this path, I'd need to ensure the load balancer pointed to my Cloud Storage bucket, which wasn't mentioned in my original post.
To roll back all changes from this SSL attempt, I'd need to update the # A DNS entry to the GAE IP, then update the www CNAME entry to c.storage.googleapis.com.. Note this CNAME entry is for Cloud Storage, not for GAE.
I ended up aborting the SSL idea and going with #3 (for now). The app in question is for a personal project that doesn't deal with any sensitive info, so SSL really isn't necessary.
You’ve gone through the process and receive the message:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I’ve found some information for you. The main points are listed below.
Verify SSL Status of Website,
Check for Certificate Name Not Matching
Verify TLS Version
Verify RC4 Cipher Suite
Manually Inspect Security Certificate
There is more detail in this document here
We have 2 app engine app (flex and standard) running on separate projects and we want project A to request project B with https to xxx.appspot.com URL.
Our firewall on both projects Denies all IPs(*) and whitelisted App Engine internal addresss (10.1.0.41, 0.1.0.40, 10.0.0.1 and 0.1.0.30) as explained in the doc.
Yet we receive a "403 error forbidden access" (which disappears when disabling the firewall).
This post is similar to mine but the responses didn't help me.
Is there anything else I can do ?
Did anyone got this to work ?
Thank you in advance.
As you may already know, GCP Projects represent a trust boundary within an organization. Hence, inter-project communication between App Engine services would require Public IP communication or using Shared VPC, which allows connecting between networks from different projects. There should be no internal communication between App Engine Services over different projects. Hence, whitelisting App Engine internal IP addresses might not be useful in this situation.
About using Public App Engine IP addresses, as illustrated in this document. App Engine hosts services on a dynamic public IP address of a Google load balancer. Due to that, the IP address can be changed any time and any Static IP can not be provided. For outbound services, a large pool of IP addresses are used which you can obtain as outlined in this document
I have this problem when forwarding www CNAME to a Google App Engine application. It's not working maybe I am missing something.
Is it possible to forward CNAME to Google App Engine without adding custom domain?
The documentation you linked actually contains the answer to your question: You have to add a custom domain to your app with a wildcard.
And here is the reason why you have to add every domain to your custom domain.
When you create a cname it will always point to ghs.googlehosted.com. My guess is that the servers behind that domain are one huge load balancer, but that's not really important here. What is important is, that before your HTTP request is made the DNS name is resolved to an IP address. The range of IP addresses is the same for all appengine apps, so the server doesn't know that this particular request is intended for your app. However with that IP address a TCP connection is opened to the server. Now you send a request like:
GET / HTTP/1.1
HOST: www.yourcustomdomain.com
The server looks at the HOST part and must decide which app this request should be forwarded to. But it cannot know that if you didn't add your domain to the custom domains of your project. There simply is no information about where to route that request. So the simple answer is:
Yes you must add all your custom domains to your project, but you could use wildcards
No it will not work without that step, because the Google infrastructure houses tons of apps and your app does not have a dedicated IP address by which it could be identified
I understand that in order to link my domain to my GAE application I need to setup Google Apps according to this.
But Google Apps seems to take control of SMTP and email addresses. I need to have my own SMTP server in GCS, which is working perfectly right now using the static ip like someuser#xx.xx.xx.xx
What I need is to be able to enter my GAE web application thru mydomain.com but at the same time being able to receive anyuser#mydomain.com at my SMTP instance at GCS. Is it possible?
Your email settings are determined by your registrar, not by Google Apps. If you don't want to use Gmail as your mail server, you simply keep your DNS records unchanged, as Xavier correctly suggested.