Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Force SSL on App Engine Flexible Environment Custom Runtime

We're running an instance of Metabase on a App Engine Flexible Custom Runtime with a Dockerfile based on openjdk:8. Currently it allows access on http://[metabase-project].appspot.com/ and https://[metabase-project].appspot.com/. I'd like to force SSL by having all http traffic redirected to https.

The Dockerfile looks something like this:

FROM openjdk:8
ADD https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 ./cloud_sql_proxy
ADD http://downloads.metabase.com/v0.21.1/metabase.jar ./metabase.jar
CMD ./cloud_sql_proxy -instances=$INSTANCE=tcp:$MB_DB_PORT -dir=/cloudsql & java -jar ./metabase.jar

Our app.yaml looks like:

service: metabase
runtime: custom
env: flex

In a normal App Engine app.yaml file, I'd want to add:

handlers:
- url: [something]
  secure: always

But in the custom runtime we don't have access to handlers like this. Is there a way to configure the Flexible runtime to perform the redirect for all traffic?

like image 229
Morgan Conbere Avatar asked Jan 30 '17 20:01

Morgan Conbere


2 Answers

Late to answer, but I had to struggle a lot in order to do this.

I followed various links which mentioned the following code,

app.use(function(req, res, next) {
  if(!req.secure) {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  next();
});

This might work in other cloud vendors.

But in GCP as rightly mentioned by @zengabor, our app will be running behind an nginx reverse proxy which terminates the SSL connection, we need to check the X-FORWARDED-PROTO which can be done by the following code,

app.use(function(req, res, next) {
  if(req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === "http") {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  next();
});

Just adding my answer as after reading @zengabor's code I had to search again on how to achieve it. So above is the readymade code which will work.

like image 56
Gokul Kulkarni Avatar answered Sep 24 '22 18:09

Gokul Kulkarni


App Engine Flex doesn't support handlers, at all: https://cloud.google.com/appengine/docs/flexible/java/upgrading#appyaml_changes

If you need https:// redirects, you need to do it from within your application. Sorry!

like image 34
Justin Beckwith Avatar answered Sep 23 '22 18:09

Justin Beckwith