Google App Engine ManagedSSL Not Working - node.js

I'm using Google App Engine to host my web application Here's the app.yaml config I'm using, using a domain that I bought through GoDaddy to set the custom domain. I've successfully set the custom domain, and the console shows that the ManagedSSL is working, when I visit the site it's still not working The console showing the ssl for the custom domain is working. The appspot.projectid.com site does have the https working but the custom domain does not.
I've followed the tutorials provided by Google Cloud, and others on medium but this issue persists. Do I need to set something on the DNS to allow the ManagedSSL to work?

As you stated, acording to this post, secure: always still works in all standard environments, but the secure option has been deprecated in all flexible environments, see documentation here or here for Node.js.
If you need this feature in your current environment, the suggested solutions require changes to your application code. Either use the custom HTTP header X-Forwarded-Proto to redirect the HTTP traffic to HTTPS, or use the HTTP Strict Transport Security response header.

Related

Azure AD Application Gateway redirect to /signin-oidc which return 404

We have a web app in Azure sitting behind a V2WAF Application Gateway. This is all private so the WAF uses a private frontend IP address and a certificate generated with openssl. The backend uses the azurewebsites.net domain so the backend app doesn't have any custom domains and therefore certificates assigned.
The WAF is configured with rewrite rules as per microsoft docs.
If
http header
response header
common header location
= pattern (https?)://.azurewebsites.net(.)$
then
response header
set common header location
Header value {http_resp_Location_1}://portal.uat.xxxxxxx.internal{http_resp_Location_2}
The result from this is a 404 not found.
I found this on github which seems to match the issue
https://github.com/AzureAD/microsoft-identity-web/issues/1199
Has anybody come across this and found a fix I can apply to the WAF?
The domain being used for the WAF frontend is.internal and can't be added as a custom domain into the webapp, not my choice but the person telling me this config works has said it's worked before.
Thanks
I've tried various things, but nothing has worked so far. I'm not a developer so need to be able to get this working just using the App Gateway.
I think I need a custom domain that can be verified and a matching SSL cert on the app service but the "architect" is telling me this works. I can't figure out a way of doing it.

Static website hosted in Azure, HTTPS working HTTP not

I have hosted a static website in azure mainly by following the Microsoft tutorials. The process has been to create a storage account, create a CDN endpoint, map my custom domain to the endpoint and then enable HTTPS using an SSL certificate managed by azure.
The custom domain is working but the problem is firstly that although in Azure CDN it says that both HTTP and HTTPS are enabled, I can only access the website via HTTPS and when I try with HTTP the error I get says 'The account being accessed doesn't support HTTP'. The other thing is that in order to navigate to the secure site I have to put the entire URL in the search bar, starting with the https or the website can't be found. I'm not sure if this is normal but if I think of web browsing in general, this isn't usually necessary.
Any ideas on how to fix this would be greatly appreciated.
Default is that Azure only Allows HTTPS.
On App Service go to TLS/SSL settings and switch to HTTPS Only to Off.
On Storage Account go to Configuration and change Secure transfer
required to disabled.

Azure Application Gateway, Azure App Service and Form Based Authentication

I'm migrating a complete infrastructure over to Azure; it's been slow going as there's so much to learn and for every two steps forward, there seems to be one step back.
After what seems like an eternity, I think I've got it all sorted with one exception.
The architecture is as follows:
Azure Traffic Manager ==> 2 Azure Application Gateways (geo separated) ==> Azure App Service
A custom domain is used for the traffic manager and the gateways are listening for the same domain and, when the route matches, passing on the requests down to the app service.
The actual app itself is a ASP.NET MVC application and it uses forms authentication; and this is where the challenge happens.
When navigating to the public address: client.domain.com and hitting the website, it determines that the user is not authenticated and sends the browser to the login page... so far so good but, rather than using client.domain.com/login it uses the web-server dns name, so client.azurewebsites.com/login
How do I go about changing the behaviour so that it uses the external DNS name rather than the website name?
I can't setup custom domains on the app service as the only route into the site is via the gateway as this is also the firewall.
Is there some Web Config setting I can make? I'm looking at the outbound rewrite rules but these seem to only work on tags rather than 302 redirects.
Any thoughts would be most welcome.
You need to setup custom dns names on your webapp (you can use TXT record to verify dns name, so i dont see a reason why you can add it to the webapp). or you can alter the code.
In order to solve this problem, I had to make a code change to the web app itself. Not ideal but it worked.
What I had to do was to extend the code that redirects an unauthenticated request to the login page by sniffing for the X-Original-Host HTTP Header that the App Gateway forwards on. This contains the public facing DNS name. If the header is present and it is on a pre-approved white-list (so as to prevent any hijacking), then redirect the user to the login page for this domain, rather than the one the server is listening on directly (so use client.domain.com rather than client.azurewebsites.com)

Multi-domain Routing and SSL on Node.js

I have a Node.js app that serves http requests. Users can signup, create an account and when they do, I generate a subdomain for them to use. eg username.example.com. This is fairly straight forward to do and can be served over ssl using a single certificate.
I would like to give the option for the user to use their own domain. From Node.js this isn't too difficult either. I can check the hostname and look up the account details from there.
I'm struggling to work out how to generate ssl's for these custom domains though.
Right now, my app runs on Heroku, but I also have a staging build on Google's App Engine, so I don't deal with the web server directly. In fact, I don't even know what it is, it could be Nginx or Apache.
To keep the conversation focused, let's stay I want to stick to app engine. When a user adds their own domain, I store it in the database. How would I auto generate an SSL for this?
I thought of general steps for this, but there is one showstopper which I'm not sure it is possible to workaround. The steps will be:
Map the user's domain to your application and configure the DNS records. You can do that with the gcloud commands: steps and general description outlined in this Mapping Custom Domains docs page (notice that you can switch between Console and GCloud in the boxes). There is also a possibility of doing that within the Cloud Console, however as you've mentioned you're interested in the programmatic approach. If you prefer to configure the custom domain from the API, the same functionality exists in App Engine Admin API with its REST resource for domain mappings.
Possible showstopper (source: Mapping Custom Domains) :
Verify that you are the owner of your domain through Webmaster Central
After that, App Engine provisions a managed certificate and then handles renewing/revoking it. Securing Custom Domains with SSL is still in beta, but it offers the functionality that you need.

GCP app deploy in preview URL

I started using Google Cloud Platform and been testing some things on it. After deploying the web services (node.js), the GCP provides a URL which actually redirects to a preview URL. Ex- project.appspot.com to project.appspot-preview.com. Due to this, our client side throws 307 status code but not if I use the preview URL directly.
All I want to know is, is it safe to use the preview URL straight away or is there anyway to disable the forwarding?
Need help, thanks in advance.
This is the current behavior of the latest GAE flex environment. From Domain update:
Traffic is now served from the appspot-preview.com domain instead of
the appspot.com domain. All traffic from the App Engine flexible
environment will be automatically redirected to the new domain. All
App Engine Standard traffic will continue to be through appspot.com.
When the App Engine flexible environment is generally available (GA),
users will be able to use the appspot.com or appspot-preview.com
domains for routing traffic.
For users who want to use the latest App Engine Flexible release with
a custom domain, please fill out this form to contact us.

Resources