自定义域的 GCP App Engine 防火墙规则失败
[英]GCP App Engine Firewall Rules Failing For Custom Domain
问题描述
My goal is to limit access to my App Engine Service to my home office IP.
我的目标是将我的 App Engine 服务的访问权限限制在我的家庭办公室 IP。 I have configured the App Engine Firewall with allow rules for both my IPv4 and IPv6 addresses, and set the default rule to deny .我已经为 App Engine 防火墙配置了我的 IPv4 和 IPv6 地址的允许规则,并将默认规则设置为拒绝。
This works when browsing my application using the unique appspot.com address assigned to my app.这在使用分配给我的应用程序的唯一 appspot.com 地址浏览我的应用程序时有效。 But attempting to access my application using the custom domain I have configured for App Engine, is resulting in a 403.但是尝试使用我为 App Engine 配置的自定义域访问我的应用程序会导致 403。
I have further verified that the rules are working as intended on the appspot.com domain.我进一步验证了这些规则在 apppot.com 域上按预期工作。 Anything that isn't in my allow list is getting the 403 as intended.不在我的允许列表中的任何内容都会按预期获得 403。
This tells me that my rules are "working," but I am unable to find any reference as to why this would not influence access to my application through the configured custom domain.这告诉我我的规则是“有效的”,但我找不到任何关于为什么这不会影响通过配置的自定义域访问我的应用程序的参考。
Note: when the default rule is set to allow , my application does work using the custom domain, so I am certain that configuration is sound.注意:当默认规则设置为允许时,我的应用程序确实使用自定义域工作,所以我确信配置是正确的。
Are custom domains simply beyond the scope of App Engine's Firewall?自定义域是否超出了 App Engine 防火墙的 scope? I was hoping to avoid digging into the VPC configuration for now.我希望暂时避免深入研究 VPC 配置。
Firewall Rules防火墙规则
Custom Domain Config自定义域配置
Edit: Log shows my IPv6 IP address as the requesting IP when tailing the log:编辑:在跟踪日志时,日志将我的 IPv6 IP 地址显示为请求的 IP:
{
"entries": [
{
"insertId": "dlpqxpfa090t8",
"jsonPayload": {
"appLatencySeconds": "0.011",
"trace": "b7f63eb3d2fb4c52480253c224821a23",
"latencySeconds": "0.011"
},
"httpRequest": {
"requestMethod": "GET",
"requestUrl": "/users/kind/add",
"status": 200,
"responseSize": "4810",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36",
"remoteIp": "2600:****:****:****:****:****:****:9936",
"referer": "https://f******s.e******t.com/users",
"latency": "0.011s",
"protocol": "HTTP/1.1"
},
"resource": {
"type": "gae_app",
"labels": {
"zone": "",
"project_id": "f*******s",
"version_id": "20220801t212517",
"module_id": "default"
}
},
"timestamp": "2022-08-09T22:11:33.869Z",
"labels": {
"appengine.googleapis.com/trace_id": "b*****************a23",
"appengine.googleapis.com/instance_name": "aef-default-2*********7-770v",
"compute.googleapis.com/resource_name": "0**********3",
"compute.googleapis.com/resource_id": "21*********29",
"compute.googleapis.com/zone": "********"
},
"logName": "projects/f********s/logs/appengine.googleapis.com%2Fnginx.request",
"trace": "projects/f*********s/traces/b7f63eb3d2fb4c52480253c224821a23",
"receiveTimestamp": "2022-08-09T22:11:38.104875464Z"
}
]
}
Edit 2: As suggested in the comments, I tried hitting a URL w/ curl.编辑 2:正如评论中所建议的,我尝试使用 curl 击中 URL。 Below is the result:结果如下:
Microsoft Windows [Version 10.0.22000.856]
(c) Microsoft Corporation. All rights reserved.
C:\Users\shawn>curl
curl: try 'curl --help' for more information
C:\Users\shawn>curl https://f*****s.e*******t.com/index
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Access is forbidden.</h2>
<h2></h2>
<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"738c818088a17d62","version":"2022.6.0","r":1,"token":"c070c2d4c5ad48d18815371af21d9e80","si":100}' crossorigin="anonymous"></script>
</body></html>
C:\Users\shawn>
NOTE: I thought I was on to something with IPv6 being the culprit, but I've since disabled IPv6 completely and https://whatismyipaddress.com/ is showing that I'm not broadcasting an IPv6 address any longer.注意:我认为我认为 IPv6 是罪魁祸首,但我已经完全禁用了 IPv6,并且https://whatismyipaddress.com/表明我不再广播 IPv6 地址。 Still no dice.还是没有骰子。
1 个解决方案
解决方案1
1 2022-08-10 23:46:38
Cloudflare Proxied CNAME strikes again. Cloudflare 代理 CNAME 再次来袭。 Turning off this feature in Cloudflare for the CNAME pointing at ghs.googlehosted.com resolved the issue after about 5 minutes.在 Cloudflare 中为指向 ghs.googlehosted.com 的 CNAME 关闭此功能大约 5 分钟后解决了该问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.