I want to to use an API gateway like Traefik to protect my apps deployed in CF. E.g. by only allowing requests from the internet to the gateway and restrict the apps behind to internal traffic only (probably via route configurations).
Unfortunately, I could not find any guidance how such a setup could be achieved in CF.
Related
How can we make sure all requests are routed through cloudflare seevers only?
I currently setup dns in cloudflare in proxy mode. I set a custom domain mapping on cloud run and pointed dns records for my custom domain to ghs.googlehost.com.
Wondering how to make sure the traffic is received only from cloudflare to avoid abuses.
Update
There is another question about origin pulls but the answer mentions its only possible through OAuth which is not in detail.
You cannot achieve your goal without inserting a proxy that you must build. Google Cloud authorization is OAuth. Cloudflare's servers do not implement OAuth authorization headers.
You should implement OAuth at your clients. However, that will provide for authorization but not selectively from Cloudflare.
Is there built-in support for enabling SSL on Azure Container Instances? If not, can we hook up to SSL providers like Lets Encrypt?
There is nothing built-in today. You need to load the certs into the container and terminate SSL there. Soon, we will enable support for ACI containers to join an Azure virtual network, at which point you could front your containers with Azure Application Gateway and terminate SSL there.
As said above, no support today for built-in SSL when using ACI. I'm using Azure Application Gateway to publish my container endpoint using the HTTP-to-HTTPS bridge. This way, App Gateway needs a regular HTTPS cert (and you can use whichever model works best for you as long as you can introduce a .PFX file during provisioning or later during configuratiorn) and it will then use HTTP to talk to your (internally facing) ACI-based container. This approach becomes more secure if you bind your ACI-based container to a VNET and restrict traffic from elsewhere.
To use SSL within the ACI-container you'd need to introduce your certification while provisioning the container, and then somehow automate certificate expiration and renewal. As this is not supported in a reasonable way, I chose to use the App Gateway to resolve this. You could also use API Management but that is obviously slightly more expensive and introduces a lot more moving parts.
I blogged about this configuration here and the repo with provisioning scripts is here.
You can add SSL support at the API Gateway and simply configure the underlying API over HTTP.
You will need the secrete key to execute above api method!
You can access the underlying API hosted at the Azure Container Instance. This method does not require jwt token as this is a demo api.
I have 2 web roles in a cloud service; my API and my Web Client. Im trying to setup SSL for both. My question is, do I need two SSL certificates? Do I need 2 domain names?
The endpoint for my api is my.ip.add.ress. The endpoint for my webclient is my.ip.add.ress:8080.
Im not sure how to add the dns entrees for this as there is nowhere for me to input the port number (which I have learned is because its out of the scope of the dns system).
What am I not understanding? This seems to be a pretty standard scenario with Azure Cloud Services (it is set up this way in the example project in this tutorial, for instance http://msdn.microsoft.com/en-us/library/dn735914.aspx) but I can't find anywhere that explains explicitly how to handle this scenario.
First, you are right about DNS not handling port number. For your case, you can simply use one SSL certificate for both endpoints and make the two endpoints have the same domain name. Based on which port is used by user request, the request will be routed to the correct endpoint (API vs. Web Client). Like you said this is a relative common scenario. There is no need to complicate things.
Let's assume you have one domain www.dm.com pointing to the ip address. To access your Web API, your users need to hit https://www.dm.com, without port number which defaults to 443. To access your web client, your users need to hit https://www.dm.com:8080. If you want users to use default port 443 for both web api and web client, you need to create two cloud services instead of one, then web api on one cloud service and web client on the other cloud service. Billing wise, you will be charged the same as one cloud service.
Are there any reasons you want to make 2 different domains and in turn 2 SSL certificates? If so, it is still possible. Based on your requirements, you may have to add extra logic to block requests from the other domain.
Is there any way to serve a static website (SPA actually) located on Google Cloud Storage via SSL, for that nice SSL address and icon for users to see?
Amazon allows this via CloudFront SNI.
Yes!
Using GCS directly via CNAME redirects only allows HTTP traffic.
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer, and optionally you'll want to set up Google Cloud CDN as well. While it adds a bit of complexity, Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
There are instructions for setting this up here: https://cloud.google.com/compute/docs/load-balancing/http/using-http-lb-with-cloud-storage.
An alternative would be to host your domain DNS server at CloudFlare. They give free HTTPS to HTTP service.
More Info:
https://www.cloudflare.com/ssl/
Adding HTTPS For Free With CloudFlare
As of April 2019: https://cloud.google.com/storage/docs/troubleshooting#https
HTTPS serving Issue: I want my content served through HTTPS.
Solution: While you can serve your content through HTTPS using direct
URIs such as https://storage.googleapis.com/my-bucket/my-object, when
hosting a static website using a CNAME redirect, Cloud Storage only
supports HTTP. To serve your content through a custom domain over SSL,
set up a load balancer, use a third-party Content Delivery Network
with Cloud Storage, or serve your static website content from Firebase
Hosting instead of Cloud Storage.
Pretty shocking in this day and age that with letsEncrypt everywhere they have not figured out how to do this.
An alternative would be to host your SPA on Firebase. All apps have SSL included by default even those with custom domains. They also have a CLI that makes it easy to deploy!
If you're not tied to Cloud Storage, another alternative to host your SPA directly on App Engine, using static files.
Follow this tutorial for something more compreensive.
If you still want your SPA to be stored in a Cloud Storage bucket, you can use this project to serve it through App Engine. You can host multiple websites with a single app, in fact.
Using App Engine either way, you'll get a free managed certificate, and a free monthly allowance.
For simplicity use FireBase, the command to update is ssh firebase deploy Iv done a few thousand html files in a matter of seconds.
I would also recommend the free service CloudFlare provides as well for an extra level of protection.
I have deployed my application on cloudbees, and was wondering how I can create a whitelist of allowed IPs which can access the application via browser requests or API requests.
Thanks
This is not possible on RUN#Cloud shared server pool.
Such IP restriction can be configured on "dedicated" servers as they provide more configuration option with isolated setup
You could write a filter (eg a servlet filter) which looks at the http://en.wikipedia.org/wiki/X-Forwarded-For header - this is the IP of the client - and filter it that way if you like.
(you have to use that header as the routing layer will provide it).