google-app-engine


How to block AppEngine's _ah/start and _ah/stop routes from being visible to the outside world


I have _ah/start and _ah/stop routes in my 'Flexible' app. I understand the GAE containers will invoke those endpoints when the app comes up, and is going down.
After I've deployed my app, I can hit them myself from the comfort of my couch. That makes no sense of course, as random strangers cannot be the arbiter of when app instances come up and go down. How do I configure AppEngine to block the publication of those two routes to the outside world? Or is in my job in the implementation of those two routes to check IP addresses or look for a header only GAE can send?
Based on this page:
https://cloud.google.com/appengine/docs/flexible/go/how-requests-are-handled
Headers that match X-Google-* or X-Appengine-* are removed when the request enters GCP. Appengine may then add headers that match those patterns, so if your handlers detect any such headers I think it is safe to assume the request comes from GAE and not some random client.
You can dump all headers you get and see whether there are any interesting ones, then from a public client try and send a request and set such a header with some value and see whether it is sanitized first and then set again by GAE. Any such header must be sanitized first or anyone would be able to send them to your app otherwise.
I would not rely on IP addresses.
So flex does not use the /_ah/* paths and therefore does not hide them. Sadly we have an inconsistency in our docs. It is correctly documented here https://cloud.google.com/appengine/docs/flexible/python/migrating but (at them moment) https://cloud.google.com/appengine/docs/flexible/custom-runtimes/build is incorrect. The documentation update is under review and should go public shortly.
Apologies for the confusion.

Related Links

Query by multiple doc_ids in Google App Engine Search API
Appengine ndb - Transactions can report failure but succeed
ImportError: No module named _ctypes running Python Flask tutorial for Google App Engine on Windows
Gcloud custom domain
Not getting all labels with Adwords Python client
Standard for Google Cloud and AWS Setup for multiple instances
GAE custom domain wildcard subdomain issues
Cron per Service/Module (AppEngine)
How do we parse and generate App Engine URL-Safe Datastore Keys in the Google Cloud API?
Google App Engine: How to create HTTPS endpoints with flexible environment?
Deployed Google Endpoints Quickstart app giving error message when i request url?
Google Cloud SDK vs Google Cloud Client Libraries
when does dispatch.xml get updated?
How do I stop this Google cloude Instances billing?
Google Appengine Deployment Security Woes
google cloud share vm access to other google account

Categories

HOME
android
django
beautifulsoup
design-patterns
string
zend-framework
themes
mstest
spring-data-redis
shiro
nsbundle
parameters
tail
echo
mapbox
sendgrid-api-v3
google-chrome-app
cmdb
intercom
magnetic-cards
alpacajs
google-container-registry
cfml
windows-xp
drive
breadth-first-search
dataflow-diagram
ckfinder
jquery-multiselect
bulletphysics
progress-bar
soot
mobx
paragraph
openwhisk
imx6
lubridate
jpad
modernizr
filesystemwatcher
demo
signals-slots
plr
congestion-control
placeholder
knime
httr
lampp
term
openrasta
wcftestclient
mschart
netbeans6.8
oracleclient
truezip
dt
monkey
trigger.io
vcloud-director-rest-api
node-request
pytables
builtins
ziparchive
adafruit
xdoclet
simevents
jclouds
cda
rasterize
custom-errors
intel-c++
text-search
cgi-bin
sapscript
doctype
mod-proxy
google-refine
phpldapadmin
boost-program-options
trdion2011
breakout
code-duplication
workitem
poker
onmousemove
faye
garbage
josql
httponly
gobject-introspection
procedures
event-receiver
updatesourcetrigger
zen
request-headers
wysiwym
blind

Resources

Encrypt Message