Whitelist push notification

[Jean Baudin]

Hi,

I am currently trying to deploy an HTTP server for receiving Pubsub notifications.

Currently, I cannot whitelist the DNS for the incoming messages. Is there somewhere a source range I could use?

My application runs in GKE. It's being deployed behind ingress Nginx. I want to set the whitelist using the annotation "whitelist-source-range".

Otherwise, if it's not possible, what is the status for receiving push notification from Pubsub using gRPC?

Thanks in advance,

Jean.

[Kir Titievsky]

Hi, Jean,

You can't rely on source IP addresses to filter Pub/Sub push traffic.  gRPC streamingPull, work very well for consuming messages.  Please see the pull guide to get started. 

Kir

--
You received this message because you are subscribed to the Google Groups "Google Cloud Pub/Sub Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cloud-pubsub-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cloud-pubsub-discuss/875fa887-4cc5-4758-bf3b-437ac06f4d1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kir Titievsky | Product Manager | Google Cloud Pub/Sub

[Jean Baudin]

Hi Kir,

The design of my applications requires the push from Pubsub.

From what I noticed, the requests are coming from a sub-domains of appspot.com

Wouldn’t it be possible to whitelist the main domain? Or are the DNS always different?

--

Jean Baudin

Front-end developer

Travix International B.V.

Piet Heinkade 55

1019 GM Amsterdam

The Netherlands

jba...@travix.com

[Kir Titievsky]

Jean, we make no guarantees about the source IP addresses so this would not be a solid solution.  You have a couple options for limiting ace

- Rotate the push URL regularly. Here you would set up a forwarding rule or a new version of your push-processing server, update your Pub/Sub subscription push URL. Delete or de-activate the old URL.  These operations are done securely using the Google Admin APIs and are free (nominally). 

- Have an access token you securely pass to the push server regularly and check for that token in your push-processing server.  

Would either of these options work for you?

On Mon, Jan 22, 2018 at 1:49 PM, Jean Baudin <jba...@travix.com> wrote:

Hi Kir,

The design of my applications requires the push from Pubsub.

From what I noticed, the requests are coming from a sub-domains of appspot.com

Wouldn’t it be possible to whitelist the main domain? Or are the DNS always different?

On Mon, 22 Jan 2018 at 18:32, Kir Titievsky <k...@google.com> wrote:

Hi, Jean,

You can't rely on source IP addresses to filter Pub/Sub push traffic.  gRPC streamingPull, work very well for consuming messages.  Please see the pull guide to get started. 

Kir

On Mon, Jan 22, 2018 at 11:27 AM Jean Baudin <jba...@travix.com> wrote:

Hi,

I am currently trying to deploy an HTTP server for receiving Pubsub notifications.

Currently, I cannot whitelist the DNS for the incoming messages. Is there somewhere a source range I could use?

My application runs in GKE. It's being deployed behind ingress Nginx. I want to set the whitelist using the annotation "whitelist-source-range".

Otherwise, if it's not possible, what is the status for receiving push notification from Pubsub using gRPC?

Thanks in advance,

Jean.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Pub/Sub Discussions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cloud-pubsub-discuss+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cloud-pubsub-discuss/875fa887-4cc5-4758-bf3b-437ac06f4d1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kir Titievsky | Product Manager | Google Cloud Pub/Sub

--

Jean Baudin

Front-end developer

Travix International B.V.

Piet Heinkade 55

1019 GM Amsterdam

The Netherlands

jba...@travix.com