The application is on Google App Engine (Python 2.7, webapp2, HighReplication) working properly with HTTPS.
The HTTPS is configured in the app.yaml with the secure: always attribute, instead schemes=['https'] in routes.
so far everything OK, If I do a "curl -I HTTP://[MY_URL]" , the answer is:
HTTP/1.1 302 Found
Location: HTTPS://[MY_URL]
This 302 is OK, because means the resources has another location (with HTTPS)
But.... when I enable PageSpeed on "App Engine -> Application Settings", I have this error:
HTTP/1.1 403 Forbidden
I know what 403 error is, but why does it happens only when I enable PageSpeed and how can I fix it?
Thanks in advance
I assume you have not refered the FAQ of google please refer this link
this says you need to provide,
You sign up and provide us with your serving and origin servers.
You send traffic to PageSpeed Service by pointing your DNS CNAME entry to pagespeed.googlehosted.com.
Also Python needs to be configured for page speed, refer link PAGESPEED
and its still experimental
and refer this link
Find this point "Enabling PageSpeed Optimization Service"
this link says its paid service you need to pay per GB bandwidth, it optimizes your pages automatically!!!
I hope you will work around the problem after this reading links.
If you are not novice user, you do not required this if you are not adding any useless thing to your app's pages.
Related
I tried to set up Google Cloud CDN for my server on Google Compute Engine. I have done everything correct but images on my server are not getting cached.
Cache hit ratio is n/a.
In logs, I am getting 200 status code for http://(ip address)/poweredby.png. So I am assuming frontend IP is not hitting my server but somewhere else. Other than this I can't find any error, all setup is correct. May be I have to change something in my nginx conf file? but I don't know. Let me know if question is not clear.
Update:
I was using http but someone suggested https is must. So, i have updated it to https but now health check is getting failed.
Thanks,
According to this documentation not all responses are cacheable. You need to meet all requirements for Cloud CDN to cache a response.
Regarding the HTTPS health checks: confirm that you have added 35.191.0.0/16 and 130.211.0.0/22 to your firewall rules. More information is in the documentation on GCP health checks.
I am trying to force https for all traffic to an app hosted on Google Cloud AppEngine. https works, but despite following the instructions for rewriting http traffic to https, it's still possible to access the site with http, which causes problems.
I have added this to the app.yaml:
handlers:
- url: /.*
script: _go_app
secure: always
redirect_http_response_code: 301
but it doesn't seem to make any difference.
I am using the julienschmidt router and then this to handle all routes:
log.Fatal(fmt.Println(http.ListenAndServe(":8080", router)))
I have looked at using http.ListenAndServeTLS but this takes extra parameters and I can't work out what the values of those should be in the Google AppEngine context.
log.Fatal(fmt.Println(http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", router)))
Where are "cert.pem" and "key.pem"?
I've read that I don't need to explicitly serve TLS in my app, because AppEngine will handle it for me, so even if I knew what the parameters were, I'm not sure it would help in forcing https.
http://sapling.appspot.com
https://sapling.appspot.com
http://sapling.money
https://sapling.money
All of the above work, but I don't seem able to force either of the http versions to https.
If you are using the secure:always handler and the requests are not being automatically redirected, then you are probably using App Engine Flex?
App Engine Flex does not support handlers, you can see this in the Flexible app.yaml documentation.
Instead, you can check in your code if a request was sent via HTTP or HTTPs and redirect. This is done with the App Engine specific header X-Forwarded-Proto.
The implementation is configured on your end and there is a brief paragraph on the subject.
You can also view similar Stack posts with the same answers 1
I hope this helps!
You are correct for including the secure: always element in your app.yaml as this will force HTTPS for your app's handlers.
However, I believe the following App Engine Documentation for "Securing Your App" found here may be of some use to you. As indicated in that link, you can convert HTTP URLs to HTTPS by simply replacing the periods between each resource with a -dot- instead. You may see the example provided below.
http://[SERVICE_ID].[MY_PROJECT_ID].appspot.com
https://[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com
For additional information about HTTPS URLs and resource targeting you may see how requests are routed here.
Hope this helps!
You can use the Strict-Transport-Security header to instruct the browser to prefer https over http for a given page or an entire domain as outlined in this document. In order to add HTTP Strict-Transport-Security headers (HSTS) to your app, you must implement the headers within your app's code, not within your app's config file (app.yaml or appengine-web.xml).
It is also a good idea to enable HSTS preloading if you register your application with Google's HSTS preload list. Firefox and Chrome will never load your site over a non-secure connection.
We have a micro service running on GCloud and to our surprise today a very important callback we expect from a vendor service receives a 302 Found response. Which is not an issue, problem is that vendor is not prepared to adjust their code to follow redirects.
Is their any solution around such cases, some configuration in GCloud we can activate. Funny we don't get 302 when we make calls from local machine and testing environments.
Figured out the issue: In our case vendor was using HTTP protocol instead of HTTPS since we have a secure:always configuration in app.yaml they where getting 302 which makes sense, since app engine was redirecting to HTTPS.
I have a GAE app and a custom domain registered on enom.com. The app is a static website that's configured by app.yaml.
I'm trying to use LetsEncrypt certs for ssl, so I want to have valid certs for both www.example.com and example.com. I can get the cert for www.example.com working fine.
However the problem is in my naked domain. Whenever a http request goes to http://example.com/, it gets redirected to http://www.example.com/, ok. But, if a http request goes to e.g. http://example.com/a.html, the request is still redirected to http://www.example.com/. So when LE servers come looking for their well-known acme-challenge, it fails because they see index.html.
I guess this isn't a common behavior because no one is mentioning this, not at https://code.google.com/p/googleappengine/issues/detail?id=10802, nor at https://github.com/certbot/certbot/issues/1480.
I've tried to dig into why this is happening, one error I can see is here:
If I select to overwrite, GAE says it "failed to insert mapping"
This whole project was started by another person and he claims he's not aware of example.com being assigned anywhere else. I've looked at his Google Cloud Console and it would seem that he's correct.
Maybe something of interest is that in the Domain page of admin.google.com, naked domain redirect is set up. It redirects example.com to www.example.com. I've not found a way to disable it.
On my dns registrar, I have input the four A records, four AAAA records, and a www for CNAME.
TL;DR: My LetsEncrypt acme-challenge is failing for my naked domain, help!
I started getting the same error in app_engine after I went to Google Apps account and added example.com to redirect to wwww.example.com. After I did this, in app_engine I got "is already mapped" error. And there was no way to undo the redirect in Google Apps, so my guess was that Google Apps had mapped it and so App Engine could not modify it or add it. I had to explain this to Support team, and btw Google Apps support is free to call, so contact them and then get transferred to App Engine support team.
There is no way to fix it yourself, you have to get Google Support on call and explain clearly and they can reset. I was bounced between Google Cloud and Google Suites (Apps) support teams 7 times and after 2 weeks finally resolved, each one blaming the other, until I found a guy who understood this issue and fixed it for me.
I'm testing a Google App Engine app on my Windows machine, running locally on localhost:8084. Fiddler2 shows all my activity when I navigate around my app, but when requesting an external url with urlfetch.fetch() it doesn't show up in Fiddler at all, even when using an http, not an https address, and with a successful status code 200 in the response.
What do I need to do to get the urlfetch.fetch() request from Google App Engine to show up in Fiddler2?
My understanding is that Fiddler2 runs as an HTTP proxy; browser requests go through this proxy instead of directly to the internet resource. This allows Fiddler2 to capture information about the request and the response.
According to the Fiddler2 docs, "You can configure any application which accepts a HTTP Proxy to run through Fiddler so you can debug its traffic". So I think you would need to change the URLFetch API call to use a proxy, supplying the Fiddler URL and port. However, the URLFetch documentation doesn't specify exactly how to do this. You might be able to use urllib2 as specified in this question.
Irussell is generally right, but I'd like to make the answer more specific.
As proxies aren’t supported within Google AppEngine production environment, it’s not directly supported by development engine either. It seems that the only way to overcome this limitation is to modify the code of AppEngine development server.
You'll have to modify the urlfetch_stub.py file, by adding the following lines:
connection = connection_class('127.0.0.1', 8888)
and
full_path = protocol + "://" + host + full_path
You may find the detailed explanation in my blog post Use Fiddler to debug urlfetch requests in Google AppEngine