Google AppEngine - Firewall Notification:Your access has been blocked by firewall policy 732
634 views
Skip to first unread message
Deepak Kumar
Jul 28, 2015, 3:16:50 PM7/28/15
to Google App Engine
I am trying to fetch http url in my app, it works fine on my local server (dev env) but when i deploy this on Google AppEngine.. it shows below Firewall Notification
"Firewall Notification - Your access has been blocked by firewall policy 732. If you have any further concerns, please contact your network administrator for more information."
I am not getting even a single clue... Can anyone help me out?
Patrice (Cloud Platform Support)
Jul 28, 2015, 5:59:12 PM7/28/15
to Google App Engine, deepak...@gmail.com, deepak...@gmail.com
Hi Deepak,
Two quick things here :
1- Normally such questions for 1-1 help are better suited for Stack Overflow, where we monitor and indeed do try to answer your question (I noticed you posted your question on stack as well as here. As you see, Nick is currently helping you on Stack. This is the same Nick who's helping people on this forum, so no need to cross post :) )
2- Your question in itself is not very clear, is the problem happening :
- As you try to deploy?
- When one deployed app access another app?
- When one deployed app accesses a specific URL?
- When one deployed app accesses ANY URL?
Also, including a bit of code as to how exactly you do your URLfetch would be helpful.
If you could edit this into your Stack Overflow question (using the edit link next to it), I'm sure Nick will be happy to look further into your issue.
Cheers!
Deepak Kumar
Jul 29, 2015, 10:50:39 AM7/29/15
to Google App Engine, deepak...@gmail.com
Hi Patrice,
Thanks for your quick response.
I posted this on Stack Overflow as well ( http://stackoverflow.com/questions/31685166/google-appengine-firewall-notificationyour-access-has-been-blocked-by-firewal ) but they have marked this 'On Hold', and thats why i posted this here.
further, just for clarification..
In my web app, I am trying to fetch a url (outside from google cloud network, lets say hosted on AWS or GoDaddy) and if i print that url response.. i get this warning message. And this is coming for every url access.
URL url = new URL(urlString);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setConnectTimeout(REQUEST_TIME_OUT);
conn.setReadTimeout(REQUEST_TIME_OUT);
conn.setDoOutput(true);
int length = dataToBePost.length();
conn.setRequestProperty("Content-Length", (String.valueOf(length)));
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(dataToBePost);
wr.flush();
InputStream inStream = conn.getInputStream();
//using inStream nowPatrice (Cloud Platform Support)
Jul 29, 2015, 11:50:06 AM7/29/15
to Google App Engine, deepak...@gmail.com, deepak...@gmail.com
Hi again Deepak,
Indeed, this got put on hold because, while we do refer people to Stack Overflow, Stack has its own set of rules for questions, and your question is "on hold" because it's not clear reading it that your issue is code related. Reading your question, it's unclear where your issue arises and what causes it. Honestly looking into it I'd just say "ask your network admin to check your firewall", because with the info you gave, the issue seems to be there. This makes it off-topic for stack indeed. Including more information will get it reopened, provided that the added information follows Stack's "how to ask a good question" article.
But again, even if you add code, this is still a bit unclear, as it's still not indicated what fails to access what. Is it your dev_server that cannot access one URL, all URLs, or is it that once you deploy, your app cannot access some URLs, or other appspots, or even your devserver?
I would suggest you edit your question extensively on Stack, including the code you've just given, and a clearer problem statement. At that point the question will be sent to the "reopen" queue, where members can vote to have it reopened for answers.
Cheers!
Deepak Kumar
Jul 29, 2015, 12:19:32 PM7/29/15
to Google App Engine, deepak...@gmail.com
Hi Patrice,
Just for more clarification..Lets say i have a appspot app deployed at http://google.appspot.com, now this app internally fetches the http://google.com and performs some operation like build and returns json response out of http://google.com url fetch response.
Now, when i access to http://google.appspot.com, it should return json response (because it gets the result from http://google.com and prepare the json ), so while fetching http://google.appspot.com from the browser i get this warning.
And if i change http://google.com to some other url then also its not working..
1. I access to http://google.appspot.com from my browser
2. http://google.appspot.com access to http://google.com (here is the problem)
these urls are for example purpose only. I hope it will clear the question now :)
Patrice (Cloud Platform Support)
Jul 30, 2015, 11:15:46 AM7/30/15
to Google App Engine, deepak...@gmail.com, deepak...@gmail.com
Hi Deepak
Then the problem is that you cannot hit the "[project].appspot.com", not anything else. If you're deploying on App Engine, there is no reason the system throws out a URL fetch from the domain.
Then the problem is that you cannot hit the "[project].appspot.com", not anything else. If you're deploying on App Engine, there is no reason the system throws out a URL fetch from the domain.
I'd really ask to your network administrator about the firewall you have up, because I believe you may have a restriction on Appspot.
In the meantime, without the precise urls, it all looks fine. I'd really say that the problem is on your firewall on your machine (or, possibly, on the external URL you're trying to hit). Without more info this is about as far as I can go without making assumptions. You would need to find where that error comes from. Can you hit the appspot, or is the firewall exception thrown to the URLFetch? You'll need to dive into your logs and look around to figure out which part throws the exception and then that'll help know where the firewall is set, and from there you can look into changing your configs.
Cheers!
Deepak Kumar
Jul 31, 2015, 12:54:01 AM7/31/15
to Google App Engine, deepak...@gmail.com
Hi Patrice,
It looks like, still the question is not clear. I can hit [project].appspot.com.
As per my last example,
1. I access to http://google.appspot.com from my browser
2. http://google.appspot.com internally access to http://google.com
Google AppEngine app can not hit http://google.com.
or in other words, i access appspot app and this appspot app access some other http url.
I am able to access appspot.com app but appspot.com app is not able to access other url which i am trying to access in side my app.
It looks like AppEngine has some firewall, which is blocking connection to http://google.com.
Josh Moore
Jul 31, 2015, 11:15:36 AM7/31/15
to google-a...@googlegroups.com, deepak...@gmail.com
Are you connecting using Sockets? Sockets have restrictions on what they can access. See https://cloud.google.com/appengine/docs/java/sockets/
Paraphrased:
Private, broadcast, multicast, and Google IP ranges are blocked, except those whitelisted below:
- Google Public DNS:
8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844port 53 - Gmail SMTPS:
smtp.gmail.comport 465 and 587 - Gmail POP3S:
pop.gmail.comport 995 - Gmail IMAPS:
imap.gmail.comport 993
tl;dr: Sockets-based connections cannot hit google.com from App Engine, with some exceptions.
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/30df80cd-e4d1-450d-9cfc-f740af4156c7%40googlegroups.com.
Patrice (Cloud Platform Support)
Jul 31, 2015, 12:54:36 PM7/31/15
to Google App Engine, deepak...@gmail.com, josh...@google.com
Hi Deepak,
As Josh just pointed out, Sockets are the only service we provide with such a restriction. So are you using them, by any chance?
Cheers
On Friday, July 31, 2015 at 11:15:36 AM UTC-4, joshuamo wrote:
Are you connecting using Sockets? Sockets have restrictions on what they can access. See https://cloud.google.com/appengine/docs/java/sockets/Paraphrased:Private, broadcast, multicast, and Google IP ranges are blocked, except those whitelisted below:
- Google Public DNS:
8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844port 53- Gmail SMTPS:
smtp.gmail.comport 465 and 587- Gmail POP3S:
pop.gmail.comport 995- Gmail IMAPS:
imap.gmail.comport 993tl;dr: Sockets-based connections cannot hit google.com from App Engine, with some exceptions.
On Thu, Jul 30, 2015 at 9:54 PM, Deepak Kumar <deepak...@gmail.com> wrote:
Hi Patrice,It looks like, still the question is not clear. I can hit [project].appspot.com.As per my last example,1. I access to http://google.appspot.com from my browser2. http://google.appspot.com internally access to http://google.comGoogle AppEngine app can not hit http://google.com.or in other words, i access appspot app and this appspot app access some other http url.I am able to access appspot.com app but appspot.com app is not able to access other url which i am trying to access in side my app.It looks like AppEngine has some firewall, which is blocking connection to http://google.com.
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/30df80cd-e4d1-450d-9cfc-f740af4156c7%40googlegroups.com.
Deepak Kumar
Jul 31, 2015, 12:58:53 PM7/31/15
to Google App Engine, deepak...@gmail.com
Hi,
Thanks for your reply..
but i am not using sockets.. i am just doing http uri fetch (that too, only http not https) in my appspot app.
Patrice (Cloud Platform Support)
Jul 31, 2015, 1:03:35 PM7/31/15
to Google App Engine, deepak...@gmail.com
Hi Deepak,
So let's just recapitulate to make sure we have everything :
Not using sockets, you're getting a firewall exception when your Appspot tries to hit ANY other url? Or specific ones? I could understand specific ones being blocked, but if appspot currently blocked every outwards request, other customers would be reporting the same thing.
If it's a specific URL, could you let us know which so we can try to realize what is happening? And can you be 100% sure that the appspot is hit? do you have a basic handler you can provide so we can look into it and make sure THAT handler returns?
Cheers
Deepak Kumar
Jul 31, 2015, 1:08:34 PM7/31/15
to Google App Engine, deepak...@gmail.com
Yes, I tried some other urls as well, not all the urls are blocked.. for example one of the blocked url is http://www.indianrail.gov.in
Patrice (Cloud Platform Support)
Jul 31, 2015, 3:31:12 PM7/31/15
to Google App Engine, deepak...@gmail.com
Hi again Deepak,
Then the problem might be the URLs themselves. If you can hit some, but not some other, it might be because of a block of certain IPs or domains from App Engine.
Having a list of the URLs that are being blocked would be helpful so we can look into what's happening. If traffic is blocked from the platform, there is usually a reason. Having the precise URLs you're trying to hit would help.
Having a list of the URLs that are being blocked would be helpful so we can look into what's happening. If traffic is blocked from the platform, there is usually a reason. Having the precise URLs you're trying to hit would help.
Cheers!
Reply all
Reply to author
Forward
0 new messages