4

I'm new to app engine and I'm trying to set it up so that any http requests get redirected to https.

My app.yaml file looks like this. I have script: None in there because if I don't have it there I get some parsing error, but that's not the problem.

env: flex
runtime: nodejs
handlers:
- url: /.*
  script: None
  secure: always

So right now, if I go to http :// mysite.org it stays on the http version and just shows 'mysite.net' in the url bar. If I go to https :// mysite.org it shows the secured version. If I go to the appspot url that google gave me, the http redirects to the https version just fine. Is there something I'm missing in the app.yaml? This isnt in a custom runtime

Sean
  • 41
  • 1
  • 4
  • I think `None` is the problem. Try fixing your code so you can add a script there. – GAEfan Dec 29 '17 at 19:40
  • Possible duplicate of [Force SSL on App Engine Flexible Environment Custom Runtime](https://stackoverflow.com/questions/41944776/force-ssl-on-app-engine-flexible-environment-custom-runtime) – Dan Cornilescu Dec 29 '17 at 20:24
  • Apparently the Flex environment doesn't support handlers. See [Justin's answer here](https://stackoverflow.com/questions/42777860/http-to-https-redirection-on-app-engine) for more information and a workaround. – kashiB Jun 27 '18 at 04:17

2 Answers2

1

Use helmet, secure setting under handlers in app.yaml is depricated in the Google App Engine Latest Release.

https://helmetjs.github.io/docs/hsts/

https://expressjs.com/en/advanced/best-practice-security.html

// Forcing HTTPS connections on Gooogle App Engine Flexible Environment sample app.js

'use strict';

const express = require('express');
const helmet = require('helmet');

const app = express();
const port = process.env.PORT || 8080;

app.disable('x-powered-by');

app.enable('trust proxy');

app.use(helmet.hsts({
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true,
    setIf: function (req, res) {
        return req.secure;
    }
}));

app.get('/', (req, res) => {
    if (!req.secure) {
        res.redirect(301, "https://" + req.headers.host + req.originalUrl);
    }
    res.status(200).send("hello, world\n").end();
});

app.listen(port, () => {
    console.log(`App listening on port ${port}`);
    console.log('Press Ctrl+C to quit.');
});

Upgrading to the App Engine Latest Release

The secure setting under handlers is now deprecated for the App Engine flexible environment. If you need SSL redirection, you can update your application code and use the X-Forwarded-Proto header to redirect http traffic.

https://cloud.google.com/appengine/docs/flexible/php/upgrading#appyaml_changes

Forcing HTTPS connections

For security reasons, all applications should encourage clients to connect over https. You can use the Strict-Transport-Security header to instruct the browser to prefer https over http for a given page or an entire domain, for example:

Strict-Transport-Security: max-age=31536000; includeSubDomains

https://cloud.google.com/appengine/docs/flexible/php/how-requests-are-handled

HTTPS and forwarding proxies

With Express.js, use the trust proxy setting

app.set('trust proxy', true);

https://cloud.google.com/appengine/docs/flexible/nodejs/runtime#https_and_forwarding_proxies

auxww
  • 11
  • 2
0

Adding the code snippet below to web.xml works just fine on Flexible environment

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Entire Application</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>
i.shadrin
  • 5,038
  • 2
  • 21
  • 13