Google Cloud Load Balancer redirect HTTP to HTTPS

[Navjot Singh]

Hello,

I am using a Google Cloud Storage Bucket, with the title of my site as the bucket name.

I have setup the Google Cloud Load Balancer + Google Cloud CDN.  That serves traffic over HTTPS.

I am wondering, how do i redirect all HTTP traffic to HTTPS.

Example: 

http://examle.com = > https://example.com

http://www.examle.com = > https://www.example.com

The https://example.com, https://www.example.com both work just fine, however, I just need the http redirect, which does not work.

Any help would be greatly appreciated! 

[Jordan (Cloud Platform Support)]

Redirects should occur on your backend configuration. Your Google Cloud Load Balancer will provide you with a 'X-Forwarded-Proto' header equal to a value of 'http' or 'https'. You would then configure you backend's '.htacces' file to redirect to HTTPS if the header is equal to 'http' like so:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

- Note that if you are just hosting your site on Google Cloud Storage than you will not have a '.htaccess' file, since Cloud Storage is only able to server static websites and not dynamic (aka it cannot execute any code). It is instead recommended to deploy an actual backend webserver to serve your website, such as a LAMP server on Compute Engine. 

[Jon Ronnenberg]

@Jordan. That completely defeats the purpose of running the JAM stack!  https://jamstack.org/

The main idea is to write your application in client-side technologies, use service APIs instead of writing your own server code and host it on a global CDN network. Google is in a very good position for this but not having the ability to forward HTTP to HTTPS (or other redirects) is a foot gun!

I guess it's only Microsoft Azure and AWS that are in the game for the moment. Too bad google.. oh wait.. I just saw firebase https://firebase.google.com/docs/hosting/...

Damn, an entire day of work lost to useless Google documentation. Great way to onboard a new developer to your cloud solution!

https://cloud.google.com/storage/docs/hosting-static-website

[John Balvin]

It would be great to have this funtionality

[edgaral...@google.com]

@Jon, yes the documentation can sometimes be hard to follow. The information you provided is although already in our documentation, albeit you would have to track it down in a few clicks.

1) https://cloud.google.com/storage/docs/hosting-static-website

2) Read the Caution notice about HTTP/HTTPS, which brings you here:

https://cloud.google.com/storage/docs/troubleshooting#https

3) Follow the link to the troubleshooting which would direct you to how to serve HTTPS, which provide the solution of using Firebase hosting:

https://firebase.google.com/docs/hosting/

Let us know how we can make improvements to our documentation regarding the above documentation, any feedback will be redirected to the appropriate team to review.

@John, Can you confirm exactly what would be required as a functionality? Are you referencing to the redirection of HTTP to HTTPS when hosting a static website hosted in Google Cloud Storage __without the need of using a Load Balancer and a CDN__?

[John Balvin]

Any request to HTTTP to be redirect to HTTPS, only for get methods of course, I know it can be done on the server code but it's anoying, at least doing for kubernetes engine 

[Jon Ronnenberg]

@edgaral... Thank you for the followup.

I'm evaluating GCloud while doing my friend a favour and building a website for his bar.

This is a very small project but serve the purpose of evaluating the state of GCloud when it comes to the JAM stack.

So far it's been uphill, with rudimentary functions missing and even if firebase is meant to fill this gap, it's comes with technology trade offs

that are not acceptable in a commercial of high profile project. I will continue to investigate work-arounds but as this is a side-project,

that I do in my spare time, I will not be able to respond on a day to day bases - more likely it will be weekly.

Currently my main obstacle has been redirects (301, 307, 308).

I'm not the only one with this issue, Server Fault, medium.com, blog.realkinetic.com, etc.

Rather than setting up entire VM just to do redirects, I will look into using Functions at a later stage when I have got everything else to play nicely.

Even though it's goes against the principles of serverless applications.

But really, a load-balancer is a HTTP server that route connections to the appropriate backend.

Currently GCloud load-balancer can do the following:

• Negotiate HTTPS for one domain on port 443, both for IPv4 and IPv6.
• Route connections for any domain to different backends depending on path
• Automatically deploy backend content to gcloud CDN (at least when using a Cloud Storage bucket).

It seems like an obvious omission that it can not do:

• Respond with 301 from HTTP to HTTPS.
• Respond with 307 or 308 from one to domain to another.

This is simple configuration options in NGINX, Apache and IIS. Why is gcloud load-balancer so handicapped? 

Creating certificates was a mystery without firebase but finally certbot-dns-google solved it.

Firebase issues involves redirects being sub optimal. E.g. http://skovbaren.dk -> https://skovbaren.dk/ -> https://www.skovbar.dk/

Firebase also doesn't support IPv6 - which isn't a big deal, just odd.

Firebase requires a client-side library in an app. This both adds to the page load, the complexity of the app, and probably needs to be updated from time to time, which means re-deployment and invalidating caches for something I do not use. I understand the reason to make all extra functionality easy to use/consume but in this case and in an enterprise app, I would not want it at all. Unfortunately it's also a security risk.

Firebase requires the firebase token to be in the client-side javascript code. I can't really assess if this is a security issue but I guess if I'm not careful with my firebase settings - it can be! All I can say for sure is, It's easily retrievable by anyone with a web browser.

CDN cache invalidation - the index.html page is updated before javascript assets - I currently deploy via gitlab CD.

Deploying:

  stage: deploy

  only:

    - master

  script:

  - yarn run generate

  - yarn add firebase-tools

  - echo "Show files to deploy:"

  - ls -al dist/

  - ls -al dist/_nuxt/

  - npx firebase deploy --token $FIREBASE_TOKEN

I currently run everything in firebase and then reverse engineer the settings made in GCloud. Fortunately this is possible and not a black box.

GCloud administration tools are powerful but has yet to catch up with Microsoft Azure - I'm not using AWS voluntarily ever, since their default HTTP buckets HTTP headers are broken - chromium bug 809891

Thats all for now - thank you for listening.

PS. I hope all of the links survives the trip to various google groups readers. If not, let me know and I'll post them in the clear.

[Jon Ronnenberg]

Errata:

Currently GCloud load-balancer can do the following:

• Negotiate HTTPS for one domain on port 443, both for IPv4 and IPv6.

Should have been:

Currently GCloud load-balancer can do the following:

• Negotiate HTTPS for any domain on port 443, both for IPv4 and IPv6.

Domains are handled via Cloud DNS. DNS by nature can not do redirects but can easily point several domains to the same IP address.

Which in this instance is the same load-balancer, with two IPs (IPv4 and IPv6). That the load-balancer can not redirect based on hosts is a

huge oversight.

[Jon Ronnenberg]

I would like to amend a curious observation that I made.

When configuring gcloud DNS, if you only set an A/AAAA record to point to a subdomain and doesn't set up the apex domain, then naked domain requests will magically redirect to the subdomain. E.g. only setup www and then request for skovbar.dk -> www.skovbar.dk.

I forget if I was pointing to a public gcloud storage bucket or the load-balancer at this time (it was early on in my experimentation).

[Fady (Google Cloud Platform)]

Hello Jon,

Thank you for all the input. It is indeed valuable for us and the community. On that front, and for suggestions to improve our products, please do not hesitate to create feature requests per this guide, and we will be happy to forward it to the appropriate team. As for the redirect issue, I believe there is already this report (feature request) that you can up-vote (click Me too).

[Jon Ronnenberg]

Thanks Fady. I think you meant that I should star the issue as there is no "Me too".

> click the star next to the issue id and right above the "x people have starred this issue." if you are also interested in this feature.