42

I have a Google App Engine project. On this project I have setup a custom domain and an SSL certificate. Therefore, I can use https://www.mysite.xxx, http://www.mysite.xxx and just the naked domain mysite.xxx.

Is it possible to permanently redirect the last two to always use the secure https:// domain using the developers console or do I just have to redirect in the code?

Sebastian Simon
  • 16,564
  • 7
  • 51
  • 69
Chez
  • 881
  • 1
  • 9
  • 20

7 Answers7

35

So you can add "secure: always" to your yaml file

https://cloud.google.com/appengine/docs/python/config/appconfig?hl=en#Python_app_yaml_Secure_URLs

Tom
  • 1,503
  • 11
  • 12
  • 2
    I've read the documentation, but have had no luck. See below for my app.yaml. Do you see anything wrong with it? runtime: nodejs env: flex handlers: - url: /.* script: /public/index.js secure: always – kashiB Jun 17 '18 at 21:18
  • 2
    For java - you can refer following URL - https://cloud.google.com/appengine/docs/standard/java/config/webxml#Security_and_Authentication – Aadhaar Mehrotra Sep 14 '18 at 11:54
  • 1
    I've tried and it doesn't work. According to this post https://groups.google.com/forum/#!topic/google-appengine/mVRvsySeef8 the redirect process should be done in your application, not in yaml. – Daniel Carpio Contreras Feb 28 '19 at 16:18
  • 2
    The answer above is correct for AppEngine standard. On Flex you must take a different approach. – Tom Mar 01 '19 at 00:05
23

(For Node at least,) in your app.yaml, add the following:

handlers:
- url: /.*
  secure: always
  redirect_http_response_code: 301
  script: auto

Reference: https://cloud.google.com/appengine/docs/standard/nodejs/config/appref

Dave Welling
  • 1,520
  • 1
  • 15
  • 13
12

For the sake of completeness. The Java way is to set the transport guarantee to confidential like this.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>profile</web-resource-name>
    <url-pattern>/profile/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

You can also find this here in the documentation.

konqi
  • 4,992
  • 3
  • 32
  • 51
6

Just in case, it is not possible to include secure handlers in app.yaml on App Engine Flexible, there isn't support for them:

The secure setting under handlers is now deprecated for the App Engine flexible environment. If you need SSL redirection, you can update your application code and use the X-Forwarded-Proto header to redirect http traffic. (Reference: https://cloud.google.com/appengine/docs/flexible/java/upgrading#appyaml_changes)

The reference is from Java, but it seems to be the same for Node. I've tried to include handlers and it didn't work.

As you can see, a possible solution would be to "use X-Forwarded-Proto header to redirect http traffic". I haven't tried this because I will move to App Engine Standard, but someone has done it and explained here.

Ruben Lopez
  • 684
  • 7
  • 18
1

It should be done in your application. Please check this post https://stackoverflow.com/a/54289378/5293578

I've tried the following code and it worked for me (You must put this before the default request and error handler):

/**==== File: server.js =======**/

/** Express configuration **/

// HTTPS Redirection
if (process.env.NODE_ENV === 'production') {
  app.use (function (req, res, next) {
    var schema = (req.headers['x-forwarded-proto'] || '').toLowerCase();
    if (schema === 'https') {
      next();
    } else {
      res.redirect('https://' + req.headers.host + req.url);
    }
  });
}

/** ... more configuration **/

// Default request handler
app.use(function(req, res, next) {
  // ... your code
});

// Default error handler
app.use(function(err, req, res, next) {
  // ... your code
});
Daniel Carpio Contreras
  • 844
  • 9
  • 14
  • 1
    Only if you're un flexible environment, accepted answer is better for the standard env. Even on flexible things *might* change, see comments on https://stackoverflow.com/a/54833147/4495081 – Dan Cornilescu Feb 28 '19 at 16:53
1

In case your domain is purchased or transferred to Google Domain then you could do it in G-Suite under the Synthetic records section:

screencapture-domains-google-redirect-registrar-chetabahana-com-dns-2019-05-27-21_19_24

eQ19
  • 9,002
  • 3
  • 58
  • 73
0

It worked for me after I added secure always on every handler in app.yml. My node server deployed on GCP serves angular for client-side and express API so in order for the angular route to work I had to add 'api' on API endpoints, so here is how it worked

runtime: nodejs14
handlers:
- url: /(.*\.(gif|png|jpg|JPG|css|js|ttf|map)(|\.map))$
  static_files: public/dist/\1
  upload: public/dist/(.*)(|\.map)
  secure: always
  redirect_http_response_code: 301
- url: /api/.*  
  secure: always
  script: auto
  redirect_http_response_code: 301

- url: /(.*)
  static_files: public/dist/index.html
  upload: public/dist/index.html
  secure: always
  redirect_http_response_code: 301

- url: /.*
  secure: always
  script: auto
  redirect_http_response_code: 301
Eyayu Tefera
  • 623
  • 7
  • 7