I have multiple one page apps (static sites) in buckets on google cloud storage.
Each app can access the information it needs from one API running on a google app engine.
I can serve the one page apps by pointing the CName of each domain to c.google.storage.com, but it doesn't serve it over HTTPS, just HTTP.
My question is:
1) why does google storage not serve contents of buckets via HTTPS if I use a custom domain?
2) How can I serve content on google cloud storage via HTTPS?
NOTE: From my basic understanding of google load balancers, I can serve the content of buckets via HTTPS if I point the domain to the load balancer, but then I would need a load balancer for each app. Those load balancers are too expensive. Is it possible to have one load balancer for all apps maybe?
You don't need a load balancer for each app. You can add multiple backends to a single load balancer and each backend can be connected to a separate storage bucket (that would be app specific). You can then add a hostname mapping on the load balancer per application, that will proxy requests to the correct backend bucket based on the Host-header in the request. You can also add path mapping to these rules if necessary.
You can achieve with only one HTTPS load balancer. create the LB and add each storage bucket as a backend bucket in the loadbalancer. Don't forget to create your bucket with the DNS name (e.g bucket1.mycompany.com, bucket2.mycompany.com etc). Add a wildcard A record in your DNS entry pointing to external IP of LB.
This maybe isn't the answer you are looking for, but I recommend Firebase Hosting (https://firebase.google.com/docs/hosting) to host single-page sites (React, Vue, etc) on GCP.
Related
We are going multi-region for our project and there is a need for us to use an Azure traffic manager to route traffic to each region. Our setup looks like below where our app gateway is exposed via a public IP which I used to configure on the Azure Traffic Manager.
My issue is when I hit the traffic manager URL it give me an SSL cert error, while if I hit the App gateway URL directly it works fine on HTTPS. Looking at the below error I know I need to configure the traffic manager certificate and my question is
Is this needs to be configured somewhere in the traffic manager? OR
DO we need to configure this in the application gateway and change the app gateway ingress in Kubernetes with and also use traffic manager certificate there?
• The traffic manager works at the DNS level, thus as the DNS records pointing to the traffic manager’s public URL aren’t setup correctly, you are getting this error when browsing the traffic manager’s URL. Also, when you are accessing the application gateway URLs independently, they are being accessed successfully as the URLs for the application gateways are hosted on the Azure DNS and independent public IPs are also allotted against their DNS records. Thus, appropriate DNS records to route the DNS access request for the traffic manager’s website need to be updated.
• Since you are using multi region setup in Azure with load balancing features, I am considering that your custom domain and its DNS records are setup in Azure itself. And the URLs for the application gateway are setup as separate endpoints in the form of subdomains in the custom DNS record setup itself. Thus, when you browse the application gateway URLs according to the custom domain URL setup, you can access the application page correctly. With respect to the traffic manager, you will need to create a CNAME record pointing from your custom domain to the ‘*.trafficmanager.net’ domain, while also creating a CNAME record pointing from your custom domain to your generic application gateway URLS.
• Once done, create A host records for each application gateway endpoint pointing to the public IP address assigned by Azure to them. After doing the above, your traffic manager URL should be able to route and redirect the application access requests correctly. For more information, please refer to the community discussion below which specifies the exact details relating to your problem: -
Azure Traffic Manager SSL Setup (not classic)
I've got small static JSON files sitting in an AWS S3 bucket that my (hybrid PhoneGap/Cordova) mobile app needs to read in (not write). I want to use Cloudflare between them. I know there are plenty of articles about static website hosting with this combination but I'm wondering if that's overkill for this? i.e. can I just connect Cloudflare to my S3 bucket without configuring all the static hosting stuff on S3, and if so how?
The JSON files are public and that's fine, I don't need to restrict access to just the app.
Thanks
You will need to configure static web hosting in S3 to achieve this since it will require an endpoint to forward traffic from Cloudfare.
For more details about the configurations, refer the article on Static Site Hosting with S3 and CloudFlare.
Let’s assume that I have a S3 hosted website. Aside from that I have an EC2 that would be to receive http requests from that website. Is there a way that I can set up a security group so that that EC2 can only receive http requests from that website? I know that if the website was hosted on another EC2 I could this vos the IP address or a load balancer, I’m just not sure how to go about it in the S3 website case.
When you launch a website on S3 you will have all Static front-end Contents being served (Just like having a pure HTML/CSS/Javascript website with no Webserver on your local Machine). Means all the calls, XHRs or embedded resource pointing to your EC2 instance are requests which are generated by visitors Browsers with Network Source of their IP with the Origin of "S3 or If you place a CloudFront on S3 it will be CloudFront as Origin in HTTP Headers) communicating with the Destination Target of EC2 (Where you have your WebServer serving on port 80or443). There is no SG that could be applied on the Bucket. However, S3 Buckets can be configured with a Policy to white-list certain IPs address to access Bucket Content and subsequently the Static Web content hosted on it. You can Also enforce CORS policy and have conditions to check Referees and Origins.
Putting aside the Bucket Level Policy, IP White listing, CORS and Condition Restrictions If you serve your Web S3 Bucket from a CloudFront Distribution you can apply GEOIP restriction Rules at the CloudFront level as well.
Just in case if say like you have an API server on EC2 which is going to be called by your CloudFront Domain you can Apply some access control at both CloudFront and EC2 Web level to enforce tightened CORS policies. I.e. Other Websites on the Internet can not Hijack your API service or do CSRF attacks(again as a Browser Level Protection Only).
I not sure if this is possible (it wasn't last year according to the internet), but i'm hoping its available now.
Is there any way of using google load balancer to force https connection only, ie. get the load balancer to redirect http requests?
I can do it at the backend server, but i would rather have this handled by the load balancer.
Thanks in advance,
Max
I think not. As far as I know, forcing HTTPS is not a managed feature of Google Cloud Load Balancer. It will not redirect HTTP to HTTPS for you. You can either drop the support of HTTP, or do the redirection in the backend. But it's would be a nice feature if they have.
See https://cloud.google.com/compute/docs/load-balancing/http/
Is there any way to serve a static website (SPA actually) located on Google Cloud Storage via SSL, for that nice SSL address and icon for users to see?
Amazon allows this via CloudFront SNI.
Yes!
Using GCS directly via CNAME redirects only allows HTTP traffic.
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer, and optionally you'll want to set up Google Cloud CDN as well. While it adds a bit of complexity, Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
There are instructions for setting this up here: https://cloud.google.com/compute/docs/load-balancing/http/using-http-lb-with-cloud-storage.
An alternative would be to host your domain DNS server at CloudFlare. They give free HTTPS to HTTP service.
More Info:
https://www.cloudflare.com/ssl/
Adding HTTPS For Free With CloudFlare
As of April 2019: https://cloud.google.com/storage/docs/troubleshooting#https
HTTPS serving Issue: I want my content served through HTTPS.
Solution: While you can serve your content through HTTPS using direct
URIs such as https://storage.googleapis.com/my-bucket/my-object, when
hosting a static website using a CNAME redirect, Cloud Storage only
supports HTTP. To serve your content through a custom domain over SSL,
set up a load balancer, use a third-party Content Delivery Network
with Cloud Storage, or serve your static website content from Firebase
Hosting instead of Cloud Storage.
Pretty shocking in this day and age that with letsEncrypt everywhere they have not figured out how to do this.
An alternative would be to host your SPA on Firebase. All apps have SSL included by default even those with custom domains. They also have a CLI that makes it easy to deploy!
If you're not tied to Cloud Storage, another alternative to host your SPA directly on App Engine, using static files.
Follow this tutorial for something more compreensive.
If you still want your SPA to be stored in a Cloud Storage bucket, you can use this project to serve it through App Engine. You can host multiple websites with a single app, in fact.
Using App Engine either way, you'll get a free managed certificate, and a free monthly allowance.
For simplicity use FireBase, the command to update is ssh firebase deploy Iv done a few thousand html files in a matter of seconds.
I would also recommend the free service CloudFlare provides as well for an extra level of protection.