I'm looking into developing a system via Google's App Engine for PHP. I'm now pretty well underway, but realized that I don't know a good way to deny incoming traffic from countries known for their nefarious inhabitants.
On other sites, I just block subnets via .htaccess. However, I'm now beginning to think it's impossible outside of using Google's own PHP request header designating the country code.
See their doc here: https://developers.google.com/appengine/docs/php/
It would be easy to just block it that way, but I'm not sure this would be the optimal way.
Any insight would be appreciated.
You cannot change an app's region after you set it. Note: Two locations, which are called europe-west and us-central in App Engine commands and in the Google Cloud console, are called europe-west1 and us-central1 , respectively, elsewhere in Google documentation.
Splitting traffic allows you to conduct A/B testing between your versions and provides control over the pace when rolling out features. Traffic splitting is applied to URLs that do not explicitly target a version.
To set up a static IP address for your App Engine standard environment service, use Serverless VPC Access with Cloud Router and Cloud NAT. By using Serverless VPC Access, you can send egress traffic to your Virtual Private Cloud (VPC) network.
You can use the dos.yaml
file to blacklist subnets. You create a dos.yaml
file in the root directory of your application and then block IPs or entire subnets as specified here. Note that this file is limited to a maximum of 100 entries.
Once you have a list of country subnets which you wish to block (which you could obtain from a list like this or this), you can populate the dos.yaml
file manually. Alternatively, you can use a script like this one to populate the file.
In addition to the DOS attack protection mentioned in @rudolph1024's answer it is now possible to enable a fully-featured firewall (still beta, recently released) to protect your GAE application.
From App Engine firewall:
The App Engine firewall enables you to control access to your App Engine app through a set of rules that can either allow or deny requests from the specified ranges of IP addresses.
Create a firewall to:
Allow only traffic from within a specific network
Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase. You can then create and modify your firewall rules to control the scope of access throughout your release process, allowing only certain organizations, either within your company or externally, to access your app as it makes it's way to public availability.
Allow only traffic from a specific service
Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a third-party Web Application Firewall (WAF) to proxy requests directed at your app, you can create firewall rules to deny all requests except those that are forwarded from your WAF.
Block abusive IP addresses
While Google Cloud Platform has many mechanisms in place to prevent the various attacks, you can use the App Engine firewall as another mechanism to block traffic to your app from IP addresses that present malicious intent.
You should use the App Engine firewall as your primary option for shielding your app from denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets so that requests routed from those addresses and subnets are denied before it reaches your App Engine app.
For details about creating rules and configuring your firewall, see Controlling App Access with Firewalls.
The firewall appears to be intended to replace the DOS protection. From Denial of service (DoS) protection service:
Tip: You should instead use the App Engine firewall for reliable protection as well as the improved features, access, and management through the Cloud Platform Console, gcloud command-line tool, and Admin API.
You still need to collect the IP ranges for the country in your particular case, to configure the firewall.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With