How to enforce HTTPS traffic to Google App Engine with custom domain?

蓝咒 提交于 2019-11-28 04:16:10

问题


I have a site on Google Domains (www.example.com) and it's hosted with Gcloud. I followed the instructions listed here to set up SSL and https: https://cloud.google.com/appengine/docs/standard/python/securing-custom-domains-with-ssl

Basically, I just ran gcloud beta app domain-mappings update example.com --certificate-management='AUTOMATIC'

Now I can indeed access https://example.com and https://www.example.com. But I can access the unsecure http version of those domains as well.

How can I set up my Google Domain to always use https? If someone types http://example.com, I want it to go to the https site instead.

Records: My naked domain (example.com) has 4 A records and 4 AAAA records.

My www.example.com domain has 1 CNAME record with alias=www.


回答1:


Have you tried setting secure: always in your handlers in your app.yaml?

handlers:
- url: /youraccount/.*
  script: accounts.app
  login: required
  secure: always

always

Requests for a URL that match this handler that do not use HTTPS are automatically redirected to the HTTPS URL with the same path. Query parameters are preserved for the redirect

https://cloud.google.com/appengine/docs/standard/python/config/appref#handlers_element




回答2:


Not sure what backend language you are using, but you can brute-force to ssl by checking the request header then redirecting. Example:

if request.environ.get('HTTPS') == 'off':
    return redirect('https://www.example.com' + request.environ.get('PATH_INFO'), 301)



回答3:


secure: always still works in all standard environments, but the secure option has been deprecated in all flexible environments, see documentation here or here for Node.js.

If you need this feature in your current environment, the suggested solutions require changes to your application code. Either use the custom HTTP header X-Forwarded-Proto to redirect the HTTP traffic to HTTPS, or use the HTTP Strict Transport Security response header.




回答4:


Alex's answer (see comments) put me on the right path.

First meteor add gadicohen:headers to add headers info.

In my router logic (Iron Router on Meteor) in a before hook, I check if the x-forwarded-proto is http. If so, replace http with https and go to that URL instead. I make sure I'm not on localhost too, so that I can develop the site

Router.onBeforeAction(function () {
    <some other logic>
    // Redirect http to https
    if (headers.get('x-forwarded-host') !== "localhost:3000") {
        if (headers.get('x-forwarded-proto') === "http") {
            window.location = window.location.href.replace('http', 'https')
        }
    }
});


来源:https://stackoverflow.com/questions/48752601/how-to-enforce-https-traffic-to-google-app-engine-with-custom-domain

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!