I was looking at https://material-ui-next.com who seem to be running on firebase hosting and use CloudFlare on top of it.
This raised a question. Do firebase hosting websites need additional layers for things like DDoS protection? As as I am aware, firebase provides SSL, CDN, DDoS and caching out of the box? When would one want to add CloudFlare on top of that?
UPDATE: I've moved from Firebase hosting to Netlify
While deploying our website (https://mfy.im) we ran into a similar debate. However, we decided to go with Firebase hosting without CloudFlare
The main reason is the performance:
Firebase hosting without CloudFlare: 732ms
Firebase hosting with CloudFlare: 1.2s
Using Firebase config json I was able to configure most of the things that I did earlier in CloudFlare.
However, if you're not much concerned about performance, I recommend to use Firebase with CloudFlare due to the following reasons:
Firebase provides some basic DDOS prevention, but no rate limiting. See: Rate Limiting on Firebase Hosting
Brotli compression - Firebase only provides gzip
Pricing - only 10GB bandwidth is free. After that, it's $0.15 per GB. If you enable CloudFlare on top of Firebase it will cover most of your bandwidth
To anyone looking to put Cloudflare or another CDN in front of Firebase - bear in mind that Firebase sees only one IP making a massive number of requests and may decide to block that IP. I'm not sure if this is something happening recently, but here's the (arrogant) response from Google Support on the matter:
The specialist we involved in the issue recommended us to escalate
this with one of the Firebase Engineers which we did.
The engineers mentioned us that CloudFlare integration is limited as
Firebase hosting already provides content through the Firebase CDN[1]
and adding a second CDN on top is discouraged as it can actually bring
down the site performance.
This causing a limitation preventing us to allow the cloudflare IPs.
Edit: If you're interested in doing this, Google have opened a "Feature request" here to whitelist / stop blocking CDN IPs:
https://issuetracker.google.com/issues/185590945?pli=1
Please star it if you would like it resolved faster.
We put Fastly in front of firebase. We put it in front of functions AND hosting.
We did this using rewriters to point to the functions, then we requested Fastly to do a force override to pull the hosting domain properly (we were getting site not found).
Using Fastly to pull data from Firebase is working very well. We get additional logging, control of WAF, etc.
We did not have to setup a custom domain in Firebase to achieve this, but we did have to allow Fastly to call with CORS settings.
Related
I have mobile app which heavily depends on apis response, I was using charles proxy and fiddler to see the api calls made by my app and I have noticed for one of get api call I am able to see full url with all request parameters(which is fine) and request headers(which include secure keys).
So using those info anyone can execute that api outside of mobile app. my app has millions of user and if someone run script to increase traffic it also increase load on server. so is there any way I can secure or hide those keys ?
I am able to think only one way of doing it is
encryption on both app and api side
is there any better way of doing it ?
You can implement certificate or public-key pinning in your app (for the leaf or the root-CA-certificate). This makes it harder for an attacker to use a proxy and intercept HTTPS traffic. However with XPosed and SSL-Unpinning module this will still work.
Also keep in mind that APK files can be decompiled easily, therefore you don't have to attack the network traffic.
Therefore the next step is to harden your app to make it resistent against manipulation via XPosed or Frida. Note that good harding frameworks cost a lot of money. Usually the protection offered is raising with the cost.
See also this related question.
I reading an article about reverse-proxies. Among the benefits listed are
Enable HTTPS support
Gzip responses
I am wondering if I should concern myself with these if I am leveraging Firebase Hosting? I wasn't able to find any information on these topic within their documentation. In short, do I need a reverse-proxy with Firebase hosting?
Firebase Hosting already uses HTTPS, and Gzips most responses.
Even if it didn't, there is no requirement to have HTTPS and/or Gzip. If you don't know whether you need them, you probably shouldn't spend time on adding them.
I'm planning to host a website for a class in school on Heroku. I've bought a custom domain to be used with it but I would rather not pay the extra cost for having that domain use an SSL certificate through Heroku. I hope to use Firebase database with it for its real-time capabilities and ease of use.
Is it possible to use Firebase with a website hosted on Heroku that is accessed using the non-SSL custom domain?
The Firebase Database can only be access through SSL. But a web app accessing the Firebase Database can run on non-secure HTTP.
You might want to consider using Firebase Hosting though, since that includes HTTPS hosting for free.
I am currently developing a web application to allow customers to place orders.
The way I have choosed to handle the application structure is to split the app in two sub-applications:
1 backend application (the API) that serves only json content
1 front end application (AngularJS in my case) that takes an API url as configuration and serves user content
Now on the server, what I have done for testing, is creating 2 virtual hosts:
app.com
api.app.com
and linked the API to the frontend app.
The problem is that everything will be served over https and, in the current setup, I will need to buy either 2 SSL certificates, or 1 wildcard certificate.
The second solution would be to create a subdirectory on the frontend app (let's say /api) and copy the backend app into it. The advantage would be to get only one single SSL certificate and have everything on the same directory; the /api would be an .htaccess redirect to the backend api.
I think that the "cleanest" solution would be to split the two apps completely and get a wildcard SSL certificate for both, but I'd like to hear if someone have some experience whether one solution is better than another.
The advantage of combining is that you will get to avoid CORS. CORS isn't that bad, but it's another complication. That being said, if you want to expose this to the outside world (allow other web pages to use it), you might want to go through that process anyway.
If you aren't looking to actually expose your API to third-parties, but just keep your layers separate, than I would either look at combining, or even proxying. I've used this architecture to put my services completely behind the firewall, and use mod_proxy or the like to serve my API through my web server. This is useful as it limits the exposure of your API, and solves CORS issues in one go.
If you really want to use SSL between your web server and your API server, you can do a self-generated client certificate between you web-server and your API server.
Is there any way to serve a static website (SPA actually) located on Google Cloud Storage via SSL, for that nice SSL address and icon for users to see?
Amazon allows this via CloudFront SNI.
Yes!
Using GCS directly via CNAME redirects only allows HTTP traffic.
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer, and optionally you'll want to set up Google Cloud CDN as well. While it adds a bit of complexity, Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
There are instructions for setting this up here: https://cloud.google.com/compute/docs/load-balancing/http/using-http-lb-with-cloud-storage.
An alternative would be to host your domain DNS server at CloudFlare. They give free HTTPS to HTTP service.
More Info:
https://www.cloudflare.com/ssl/
Adding HTTPS For Free With CloudFlare
As of April 2019: https://cloud.google.com/storage/docs/troubleshooting#https
HTTPS serving Issue: I want my content served through HTTPS.
Solution: While you can serve your content through HTTPS using direct
URIs such as https://storage.googleapis.com/my-bucket/my-object, when
hosting a static website using a CNAME redirect, Cloud Storage only
supports HTTP. To serve your content through a custom domain over SSL,
set up a load balancer, use a third-party Content Delivery Network
with Cloud Storage, or serve your static website content from Firebase
Hosting instead of Cloud Storage.
Pretty shocking in this day and age that with letsEncrypt everywhere they have not figured out how to do this.
An alternative would be to host your SPA on Firebase. All apps have SSL included by default even those with custom domains. They also have a CLI that makes it easy to deploy!
If you're not tied to Cloud Storage, another alternative to host your SPA directly on App Engine, using static files.
Follow this tutorial for something more compreensive.
If you still want your SPA to be stored in a Cloud Storage bucket, you can use this project to serve it through App Engine. You can host multiple websites with a single app, in fact.
Using App Engine either way, you'll get a free managed certificate, and a free monthly allowance.
For simplicity use FireBase, the command to update is ssh firebase deploy Iv done a few thousand html files in a matter of seconds.
I would also recommend the free service CloudFlare provides as well for an extra level of protection.