Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Force SSL on App Engine Flexible Environment Custom Runtime

Tags:

ssl

google-app-engine

app-engine-flexible

metabase

We're running an instance of Metabase on a App Engine Flexible Custom Runtime with a Dockerfile based on openjdk:8. Currently it allows access on http://[metabase-project].appspot.com/ and https://[metabase-project].appspot.com/. I'd like to force SSL by having all http traffic redirected to https.

The Dockerfile looks something like this:

FROM openjdk:8
ADD https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 ./cloud_sql_proxy
ADD http://downloads.metabase.com/v0.21.1/metabase.jar ./metabase.jar
CMD ./cloud_sql_proxy -instances=$INSTANCE=tcp:$MB_DB_PORT -dir=/cloudsql & java -jar ./metabase.jar

Our app.yaml looks like:

service: metabase
runtime: custom
env: flex

In a normal App Engine app.yaml file, I'd want to add:

handlers:
- url: [something]
  secure: always

But in the custom runtime we don't have access to handlers like this. Is there a way to configure the Flexible runtime to perform the redirect for all traffic?

like image 229
Morgan Conbere Avatar asked Jan 30 '17 20:01

Morgan Conbere

2 Answers

Late to answer, but I had to struggle a lot in order to do this.

I followed various links which mentioned the following code,

app.use(function(req, res, next) {
  if(!req.secure) {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  next();
});

This might work in other cloud vendors.

But in GCP as rightly mentioned by @zengabor, our app will be running behind an nginx reverse proxy which terminates the SSL connection, we need to check the X-FORWARDED-PROTO which can be done by the following code,

app.use(function(req, res, next) {
  if(req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === "http") {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  next();
});

Just adding my answer as after reading @zengabor's code I had to search again on how to achieve it. So above is the readymade code which will work.

like image 56
Gokul Kulkarni Avatar answered Sep 24 '22 18:09

Gokul Kulkarni

App Engine Flex doesn't support handlers, at all: https://cloud.google.com/appengine/docs/flexible/java/upgrading#appyaml_changes

If you need https:// redirects, you need to do it from within your application. Sorry!

like image 34
Justin Beckwith Avatar answered Sep 23 '22 18:09

Justin Beckwith
Sign in to Comment

Related questions

What would be the most ethical way to consume content from a site that is not providing an API? [closed]
Writing files to Dropbox account from GAE
Securing data in the google app engine datastore
Anonymous caller does not have storage.objects.get
Failed to retrieve API configs with status: 404 - Google App Engine
IP Address Block of Appengine Servers?
Is there a performance gain from defining routes in app.yaml versus one large mapping in a WSGIApplication in AppEngine?
Google Cloud Storage with get_serving_url
Using the Python NLTK (2.0b5) on the Google App Engine
Can Pandas run on Google App Engine for Python?
Eclipse - How to fix error "No persistence.xml file found in project" JPA issue
Simple explanation of Google App Engine NDB Datastore
Is there any available solution to provide xsrf/csrf support for Google app engine?
python requests on Google App Engine not working for HTTPS
Google App Engine Python Unit Tests
Invalid and/or missing SSL certificate for URL when calling apiclient.discovery.build
https for localhost:8080
Deploying Google app engine with python failed
Store an object in memcache of GAE in Go
Getting error 403 while installing package with pip

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!