I have an app engine (java) project. When I try to access urls using https with a purchased domain, page serves just time out. For example, I've purchased the domain "example.com" and hooked it up to my app engine account for "example.appspot.com". So:
http://example.com (works)
https://example.com (times out)
https://example.appspot.com (works)
I remember there being some catch about https with domains not using the appspot pattern. Is it possible to get this to work, or we have to use the appspot pattern if we want to use https?
Thanks
Yes, custom domains are supported
see https://developers.google.com/appengine/docs/ssl
You need to have billing enabled and one to have cleared for it to work
Also, there is a cost to do this.
You can see an overview here:
https://www.globalsign.com/blog/ssl-with-google-app-engine.html
http://googleappengine.blogspot.jp/2012/06/google-app-engine-170-released-at.html
Server Name Indication (SNI)
This allows multiple domains to share the same IP address while still allowing a separate certificate for each domain. SNI is supported by the majority of modern web browsers. SNI is priced at $9/month which includes the serving of 5 certificates.
Virtual IP (VIP):
A dedicated IP address is assigned to you for use with your applications. VIP is supported by all SSL/TLS compatible web clients and each VIP can serve a single hostname, wildcard or multi domain certificate. A VIP will cost $99/month.
Related
I have many microservices in app engine only for internal use. But, by default, app engine opens service-project.appspot.com domain to public, and anyone can access them via http or https.
Is there a way to restrict access only for certain IP address?
The trivial way i can think of is checking source IP address in application code.
Or, I can create custom docker image with nginx configuration which checks source ip address. But, these are not quite clean solutions because access control is actually independent from application, and I don't want to hard code static IP address inside the container.
I assumed there is a way to setup firewall rule for app engine, but I could not find it. Identity-Aware Proxy seems like another option, but it is not available for app engine flex.
I know this is cold comfort, but we're working on re-enabling App Engine flex support for IAP. It's going to be more than just a few days, though.
https://cloud.google.com/appengine/docs/flexible/java/migrating#users has some options that might be more palatable than hardcoding IPs. You won't be able to use GCE firewall rules because the appspot.com traffic is coming through Cloud HTTP Load Balancer, so the GCE instance firewall only sees the IP of the load balancer. If you do want to verify IPs within your app, use X-Forwarded-For as described at https://cloud.google.com/compute/docs/load-balancing/http/#components .
Hope this helps! --Matthew, Cloud IAP engineer
I have this problem when forwarding www CNAME to a Google App Engine application. It's not working maybe I am missing something.
Is it possible to forward CNAME to Google App Engine without adding custom domain?
The documentation you linked actually contains the answer to your question: You have to add a custom domain to your app with a wildcard.
And here is the reason why you have to add every domain to your custom domain.
When you create a cname it will always point to ghs.googlehosted.com. My guess is that the servers behind that domain are one huge load balancer, but that's not really important here. What is important is, that before your HTTP request is made the DNS name is resolved to an IP address. The range of IP addresses is the same for all appengine apps, so the server doesn't know that this particular request is intended for your app. However with that IP address a TCP connection is opened to the server. Now you send a request like:
GET / HTTP/1.1
HOST: www.yourcustomdomain.com
The server looks at the HOST part and must decide which app this request should be forwarded to. But it cannot know that if you didn't add your domain to the custom domains of your project. There simply is no information about where to route that request. So the simple answer is:
Yes you must add all your custom domains to your project, but you could use wildcards
No it will not work without that step, because the Google infrastructure houses tons of apps and your app does not have a dedicated IP address by which it could be identified
My domain is hosted by Dreamhost. My app engine app is served by a custom domain, but is a sub-domain: app.example.com. My app is not accessed by a browser, but requests are made from an iOS app.
Now, I've purchased a basic SSL certificate from Dreamhost specifically for the subdomain app.example.com.
Next, I've uploaded the necessary crt and pem files to Google Domain Settings, and everything went ok with that. The domain settings do show that the upload was successful, and I have assigned the CNAME to ghs.googlehosted.com.
At this point, I'm not exactly sure what to do. Am I to expect SSL to just magically be enabled by this point? Because it still doesn't look like it has been.
What's confusing me is this talk about SNI and unique IPs. Dreamhost says, aside from GAE, that I'd need a unique IP to host my certificate. I'm not sure though if that's just a Dreamhost thing, or I really do need that. If so, do I need a unique IP for the subdomain separate from the main domain?
Or is this what SNI takes care of? What exactly should I be doing at this point?
You should understand what SNI is: http://en.wikipedia.org/wiki/Server_Name_Indication
Then you should follow the config docs for SSL on custom domains.
Btw, iOS since v4 supports SNI so you should be OK.
Update: if you want unique IP, then you should use VIP. But this costs extra and is not necessary in your case as iOS supports SNI. VIP is only needed for some older browsers.
I setup a custom domain on GAE using the tutorial at aral balkan to access http;//app.apspot.com at http://app.com. (I can access the app at www.app.com)
The tutorial is pretty old(Sep 2008) and it mentions
Add four Hostnames for the naked
domain (i.e., yourdomain.com without
the www) and have them point to IP
addresses 216.239.32.21,
216.239.34.21, 216.239.36.21, and 216.239.38.21.
I added the required A names to my domain dns, but accessing app.com leads me to a Google 404 page
I have used naked to www redirection on blogger using a similar method(A names provided by Google Blogger Help) and it has worked for me(it still works). However apart from the article at aralbalkan.com, I have not come across an official source which says that naked to www domain redirection using these IPs works for domains on Google Apps(which GAE uses to manage custom domains).
My Question:
Does anybody use a similar method(A names pointing to Google IPs) to resolve www domains from naked domains for custom domains on GAE? If yes, are the IPs different or am I doing it wrong?
The alternate method that I can think of using is, getting a third party host and pointing the A name of app.com to the IP address of that third party host, followed by placing a 301 redirect script to www.app.com on that host.But that will require me to manage another hosting just for naked to www redirection.
If anyone knows of any easier methods to achieve naked to www redirection on custom domains for GAE, please help.
Update:
Thank you for the answers. If it can be of any help, I am using geoscaling.com for DNS. I have an everydns account too. The domain is on namecheap and namecheap offers a freedns option too.
Update 2
Switched back my dns to namecheap. I guess geoscaling.com does not offer a 301 url redirect(correct me if I am wrong), although it's still a great service. Namecheap offers a 301 URL redirect. Should start working in some time.
While it's true Google doesn't officially support naked domains, it is possible to make this work using your registrar's DNS and Domain Forwarding tools.
For example, http://conversionsupport.com is hosted on Google App Engine, and GoDaddy is where the DNS is managed. The naked domain redirects to the http://www.conversionsupport.com subdomain using a domain forwarding rule.
Requests for the naked domain result in a 301 redirect to the www subdomain. Some SEO resources claim that using one subdomain is better for ensuring search engines don't see your site's content as being duplicative. This 301 redirect should help ensure that both naked domain and www subdomain are treated the same.
Here is a resource for Setting up URL Forwarding in GoDaddy. Note that while this is intended for Google Sites, I have confirmed that it does work on Google App Engine apps.
UPDATE:
To clarify, the naked domain itself will redirect to the www subdomain. This means that if your users type http://example.com then they'll be redirected to http://www.example.com as is the case with my original example above.
From what I understand, most Google Apps accounts are partnered with GoDaddy. Here are the Instructions from GoDaddy Support on Domain Forwarding Using a 301 Redirect..
Naked domains are not supported on App Engine. You need to use www-redirects, as you suggest.
Naked domain (e.g. yourdomain.com) support for App Engine can be setup in three steps:
Setup a naked domain redirect to a subdomain of your choice (e.g. redirect mydomain.com -> www.mydomain.com). See the App Engine FAQ, which instructs you to configure the redirect via the Google Apps control panel for your domain.
Configure App Engine to serve traffic for your custom subdomain (e.g. www.yourdomain.com) via the Google Apps control panel.
(Optionally), setup SSL for your custom domain. This step is required if you which to serve https:// traffic, but not required if you only plan on hosting http:// content.
As nick says, naked domains are not supported by app engine.
On your point of easier methods to achieve naked to www redirection on custom domains... Some DNS hosts, (for example, dyndns.com) integrate that ability into their DNS control panel. You may check with your DNS provider to see if that is the case.
With all the changes over time, I wanted to post that GAE (at least at the time of this writing) DOES support naked domains. I have this working for wdydfun.com. Follow the directions as mentioned above by Fred Sauer and it will eventually work. I'd love to provide more detail on those steps, but things seem to change frequently. You'll have to click around a bit to find where to set stuff. With the DNS propagation time that can be a bit frustrating. I recommend running
dig ns <your url>
from the command line to help see what is going on. My "www" domain was resolving to ghs.google.com and my naked domain was resolving to dreamhost where the domain was registered. After filling out the extra "A" records from the google directions, the naked domain eventually started returning different information and it worked. If you are testing this out in a browser, it's worth mentioning that at the time of this writing webkit browsers seem to be pickier than mozilla. My DNS settings:
A 216.239.32.21
A 216.239.34.21
A 216.239.36.21
A 216.239.38.21
TXT google-site-verification=W0rC...fnQ
* CNAME ghs.google.com.
Yours will probably look similar. Unless the directions have changed again. The CNAME value changed since when I first set things up, so if what I'm writing here differs from the directions on Google, trust the directions on Google. HTH.
Naked domain mapping works from the Google Developers Console.
https://code.google.com/p/googleappengine/issues/detail?id=777
We have added support for custom domains for App Engine from the
Google Developers Console, meaning you can now associate a custom
domain without first associating that domain with Google Apps.
To access the feature, visit https://console.developers.google.com/
and you will find the option to add a custom domain under App Engine >
Settings.
NOTE: Currently we do not support SSL on custom domains created
through this method (although we expect to rectify this in a future
release). In the meantime, we continue to support SSL (via VIP or SNI)
for custom domains that are created through Google Apps, and we
continue to provide free HTTPS for all *.appspot.com domains.
Alternatively, you could follow below steps which solves this problem, for sure,
Ping the website you are wanting to forward to, in order to get the
IP address if you don't know it.
"Run"; CMD; "ping yourwebsite.com"
Will display ping data and reply from IP address. Note this address.
Login to Godaddy.com to manage your account or other domain registry
site
Go to DNS Control Modify/Add "A Host"
Under "Host" enter: #
Under "Points To" Enter the IP Address you obtained earlier.
You are done! Site is forwarded without the www prefix when entered into
address bar.
More details and reference :
http://www.techproceed.com/2014/05/custom-domain-setup-on-blogger-with.html
I am in the process of porting some sites from my own server to Google (GHS). I've always used ZoneEdit to manage my DNS needs and in the past - wrongly or rightly - configured it so that:
domain.com and www.domain.com pointed to: <my known ip address>
With the www sub-domain all is fine and it (www.domain.com) resolves to ghs.google.com (via a CNAME entry) and the site is displayed.
However, if I try and reach the bare domain (domain.com) FF states it is unable to establish a connection. I assume this is because my DNS configuration has no A ip-address entry for it anymore.
I was considering forwarding any URL from domain.com to www.domain.com, although possible ZoneEdit is not recommending it I think because I telling it to only forward requests for http://domain.com and leave http://www.domain.com as it is (i.e CNAME configured).
Am I handling this the best way?
Please advise.
You could also add your vote to Issue 777: Officially Support Naked Domains for GAE Apps to ask Google to support naked domains. That way you would also be able to use http://domain.com as a valid address for your App Engine application.
According to the article on URL forwarding in the Google Apps Help, forwarding your naked domain to the www domain is the best way to handle it.
And then you leave the CNAME record for the www domain to point to ghs.google.com, as you already have done.
You can also look at the post 'Naked' domains on App Engine by Nick Johnson
Now there is a direct way within Google Apps to do this.
It is located in Gooogle Apps > Domain Settings > Domain Names
https://www.google.com/a/cpanel/yourwebsite.com/DomainSettingsDomains
Requisite : Your 'A' Records should point to the google server.
How it works?
User types yourwebsite.com
DNS sends it to the server whose IP is mentioned in the A Record
That server (Googles host server), takes the domain name and
redirects to www.yourwebsite.com (or the sub-domain / link you
specify)
User reaches www.yourwebsite.com
From there you know ...
The naked to www redirection in Google Apps is broken, or at least it is for some of my apps. If Google Apps uses eNom, the redirection works properly, but if it uses GoDaddy, it will not carry forward the path (e.g. domain.com/this/is/path will redirect to www.domain.com). The fix is to use 3rd party DNS.
I think that now Google Apps has a built-in feature for forwarding of naked domains. You just go to "Domain Settings" tab in Google Apps management panel. There you click "Domain Names" sub-tab. Enter the destination where to forward your naked domain. Then you make changes to DNS, adding A record for your domain to Google provided IP. That's it.