HTTPS Support for appspot.com
148 views
Skip to first unread message
Marzia Niccolai
Oct 16, 2008, 6:03:12 PM10/16/08
to google-a...@googlegroups.com
One of the most
frequently requested features for App Engine has been HTTPS serving
capabilities. Today we're excited to announce that App Engine now
supports incoming HTTPS connections using a certificate valid for all
appspot.com URLs. Here's how it works:
* app.yaml files now support a new handler attribute, called "secure":
- url: /accounts/.*
script: admin.py* app.yaml files now support a new handler attribute, called "secure":
- url: /accounts/.*
secure: always
*This attribute can be either "always", "optional", or "never" (default), and determines the behavior of the handler for HTTP and HTTPS requests. See our documentation for more details: http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
* HTTPS requests have their own bandwidth quotas, but also count toward your total bandwidth quotas. You can monitor these quotas on your dashboard.
You may be wondering why we're only supporting appspot.com right now, and not arbitrary Google Apps domains. This has to do with fundamental limitations in the SSL protocol (see: http://en.wikipedia.org/wiki/Https#Limitations). We're currently investigating workarounds for this using e.g. SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), which provides a viable solution for newer browsers--we'll keep you posted!
This functionality is already available starting with the 1.1.5 SDK.
kang
Oct 16, 2008, 8:31:27 PM10/16/08
to google-a...@googlegroups.com
well done
--
Stay hungry,Stay foolish.
Stay hungry,Stay foolish.
Mattias Johansson
Oct 17, 2008, 1:53:29 AM10/17/08
to Google App Engine
Hi Google
Hmm, this is EXCELLENT progress! Than you for listenting. Might I
suggest that you also offer a few custom whitelabel domains, like
securecheckout.com, secureconnection.net or something? Main domain is
not as necessary as it looking professional.
/mattias
On 17 Okt, 02:31, kang <areyouloo...@gmail.com> wrote:
> well done
>
>
>
> On Fri, Oct 17, 2008 at 6:03 AM, Marzia Niccolai <ma...@google.com> wrote:
> > One of the most frequently requested features for App Engine has been HTTPS
> > serving capabilities. Today we're excited to announce that App Engine now
> > supports incoming HTTPS connections using a certificate valid for all
> > appspot.com URLs. Here's how it works:
>
> > * app.yaml files now support a new handler attribute, called "secure":
>
> > - url: /accounts/.*
> > script: admin.py
> > login: admin
> > *secure: always*
Hmm, this is EXCELLENT progress! Than you for listenting. Might I
suggest that you also offer a few custom whitelabel domains, like
securecheckout.com, secureconnection.net or something? Main domain is
not as necessary as it looking professional.
/mattias
On 17 Okt, 02:31, kang <areyouloo...@gmail.com> wrote:
> well done
>
>
>
> On Fri, Oct 17, 2008 at 6:03 AM, Marzia Niccolai <ma...@google.com> wrote:
> > One of the most frequently requested features for App Engine has been HTTPS
> > serving capabilities. Today we're excited to announce that App Engine now
> > supports incoming HTTPS connections using a certificate valid for all
> > appspot.com URLs. Here's how it works:
>
> > * app.yaml files now support a new handler attribute, called "secure":
>
> > - url: /accounts/.*
> > script: admin.py
> > login: admin
>
> > *This attribute can be either "always", "optional", or "never" (default),
> > and determines the behavior of the handler for HTTP and HTTPS requests. See
> > our documentation for more details:
> >http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> > * HTTPS requests have their own bandwidth quotas, but also count toward
> > your total bandwidth quotas. You can monitor these quotas on your
> > dashboard.
>
> > You may be wondering why we're only supporting appspot.com right now, and
> > not arbitrary Google Apps domains. This has to do with fundamental
> > limitations in the SSL protocol (see:
> >http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> > investigating workarounds for this using e.g.
> > <http://en.wikipedia.org/wiki/Server_Name_Indication>SNI (
> > *This attribute can be either "always", "optional", or "never" (default),
> > and determines the behavior of the handler for HTTP and HTTPS requests. See
> > our documentation for more details:
> >http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> > * HTTPS requests have their own bandwidth quotas, but also count toward
> > your total bandwidth quotas. You can monitor these quotas on your
> > dashboard.
>
> > You may be wondering why we're only supporting appspot.com right now, and
> > not arbitrary Google Apps domains. This has to do with fundamental
> > limitations in the SSL protocol (see:
> >http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> > investigating workarounds for this using e.g.
conman
Oct 17, 2008, 7:15:59 AM10/17/08
to Google App Engine
Oh Boy!!
That are great news!! Thanks for your _excellent_ work!
Regards,
Constantin
On 17 Okt., 00:03, "Marzia Niccolai" <ma...@google.com> wrote:
> One of the most frequently requested features for App Engine has been HTTPS
> serving capabilities. Today we're excited to announce that App Engine now
> supports incoming HTTPS connections using a certificate valid for all
> appspot.com URLs. Here's how it works:
>
> * app.yaml files now support a new handler attribute, called "secure":
>
> - url: /accounts/.*
> script: admin.py
> login: admin
> *secure: always*
That are great news!! Thanks for your _excellent_ work!
Regards,
Constantin
On 17 Okt., 00:03, "Marzia Niccolai" <ma...@google.com> wrote:
> One of the most frequently requested features for App Engine has been HTTPS
> serving capabilities. Today we're excited to announce that App Engine now
> supports incoming HTTPS connections using a certificate valid for all
> appspot.com URLs. Here's how it works:
>
> * app.yaml files now support a new handler attribute, called "secure":
>
> - url: /accounts/.*
> script: admin.py
> login: admin
>
> *This attribute can be either "always", "optional", or "never" (default),
> and determines the behavior of the handler for HTTP and HTTPS requests. See
> our documentation for more details:http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> * HTTPS requests have their own bandwidth quotas, but also count toward your
> total bandwidth quotas. You can monitor these quotas on your dashboard.
>
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
> <http://en.wikipedia.org/wiki/Server_Name_Indication>SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), which provides a
> *This attribute can be either "always", "optional", or "never" (default),
> and determines the behavior of the handler for HTTP and HTTPS requests. See
> our documentation for more details:http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> * HTTPS requests have their own bandwidth quotas, but also count toward your
> total bandwidth quotas. You can monitor these quotas on your dashboard.
>
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
Satheesan Varier
Oct 17, 2008, 1:10:11 PM10/17/08
to Google App Engine
Alexander Konovalenko
Oct 17, 2008, 1:41:39 PM10/17/08
to Google App Engine, ale...@gmail.com
HTTPS support is really great.
Here is a summary of remaining security issues with App Engine.
* Support HTTPS for arbitrary domains (not just *.appspot.com)
This request is being tracked in issue 792:
http://code.google.com/p/googleappengine/issues/detail?id=792
* urlfetch doesn't verify HTTPS certificates
See issue 46 http://code.google.com/p/googleappengine/issues/detail?id=46,
which is now (for some reason beyond my understanding) a duplicate
of issue 61: http://code.google.com/p/googleappengine/issues/detail?id=61
* Mail API should support TLS
See issue 497: http://code.google.com/p/googleappengine/issues/detail?id=497
* Uploading the app to App Engine servers over HTTPS
See issue 794: http://code.google.com/p/googleappengine/issues/detail?id=794
* Secure access to the Admin Console (appengine.google.com)
See issue 795: http://code.google.com/p/googleappengine/issues/detail?id=795
Feel free to add to this list.
Here is a summary of remaining security issues with App Engine.
* Support HTTPS for arbitrary domains (not just *.appspot.com)
This request is being tracked in issue 792:
http://code.google.com/p/googleappengine/issues/detail?id=792
* urlfetch doesn't verify HTTPS certificates
See issue 46 http://code.google.com/p/googleappengine/issues/detail?id=46,
which is now (for some reason beyond my understanding) a duplicate
of issue 61: http://code.google.com/p/googleappengine/issues/detail?id=61
* Mail API should support TLS
See issue 497: http://code.google.com/p/googleappengine/issues/detail?id=497
* Uploading the app to App Engine servers over HTTPS
See issue 794: http://code.google.com/p/googleappengine/issues/detail?id=794
* Secure access to the Admin Console (appengine.google.com)
See issue 795: http://code.google.com/p/googleappengine/issues/detail?id=795
Feel free to add to this list.
Jeff S
Oct 17, 2008, 8:59:44 PM10/17/08
to Google App Engine
Hi Alexander,
Good point about 46 being marked a duplicate of 44. I've "de-duped"
it.
Cheers,
Jeff
On Oct 17, 10:41 am, Alexander Konovalenko <alex...@gmail.com> wrote:
> HTTPS support is really great.
>
> Here is a summary of remaining security issues with App Engine.
>
> * Support HTTPS for arbitrary domains (not just *.appspot.com)
> This request is being tracked in issue 792:http://code.google.com/p/googleappengine/issues/detail?id=792
>
> * urlfetch doesn't verify HTTPS certificates
> See issue 46http://code.google.com/p/googleappengine/issues/detail?id=46,
Good point about 46 being marked a duplicate of 44. I've "de-duped"
it.
Cheers,
Jeff
On Oct 17, 10:41 am, Alexander Konovalenko <alex...@gmail.com> wrote:
> HTTPS support is really great.
>
> Here is a summary of remaining security issues with App Engine.
>
> * Support HTTPS for arbitrary domains (not just *.appspot.com)
> This request is being tracked in issue 792:http://code.google.com/p/googleappengine/issues/detail?id=792
>
> * urlfetch doesn't verify HTTPS certificates
Charles Yan
Oct 18, 2008, 3:48:44 AM10/18/08
to Google App Engine
EXCELLENT! Greate appericiate!
On Oct 17, 6:03 am, "Marzia Niccolai" <ma...@google.com> wrote:
> One of the most frequently requested features for App Engine has been HTTPS
> serving capabilities. Today we're excited to announce that App Engine now
> supports incoming HTTPS connections using a certificate valid for all
> appspot.com URLs. Here's how it works:
>
> * app.yaml files now support a new handler attribute, called "secure":
>
> - url: /accounts/.*
> script: admin.py
> login: admin
> *secure: always*
> One of the most frequently requested features for App Engine has been HTTPS
> serving capabilities. Today we're excited to announce that App Engine now
> supports incoming HTTPS connections using a certificate valid for all
> appspot.com URLs. Here's how it works:
>
> * app.yaml files now support a new handler attribute, called "secure":
>
> - url: /accounts/.*
> script: admin.py
> login: admin
>
> *This attribute can be either "always", "optional", or "never" (default),
> and determines the behavior of the handler for HTTP and HTTPS requests. See
> our documentation for more details:http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> * HTTPS requests have their own bandwidth quotas, but also count toward your
> total bandwidth quotas. You can monitor these quotas on your dashboard.
>
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
> <http://en.wikipedia.org/wiki/Server_Name_Indication>SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), which provides a
> *This attribute can be either "always", "optional", or "never" (default),
> and determines the behavior of the handler for HTTP and HTTPS requests. See
> our documentation for more details:http://code.google.com/appengine/docs/configuringanapp.html#Secure_URLs
>
> * HTTPS requests have their own bandwidth quotas, but also count toward your
> total bandwidth quotas. You can monitor these quotas on your dashboard.
>
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
fssfans
Oct 17, 2008, 11:52:39 PM10/17/08
to Google App Engine
???
what's going on?
------------------------------------ Console
----------------------------------------
Unexpected attribute 'secure' for object of type <class
'google.appengine.api.ap
pinfo.URLMap'>.
------------------------------------ my app.yaml
-----------------------------
application: fssmain
version: 1
runtime: python
api_version: 1
handlers:
- url: /account/.*
script: main.py
login: required
secure: always
what's going on?
------------------------------------ Console
----------------------------------------
Unexpected attribute 'secure' for object of type <class
'google.appengine.api.ap
pinfo.URLMap'>.
------------------------------------ my app.yaml
-----------------------------
application: fssmain
version: 1
runtime: python
api_version: 1
handlers:
- url: /account/.*
script: main.py
login: required
secure: always
Roy Leban
Oct 19, 2008, 2:19:52 AM10/19/08
to Google App Engine
I wonder if another workaround for the IP-based limitations of SSL is
to dynamically assign a port for SSL for each app. So, I've got www.myapp.com
and when my app is started up, you assign www.myapp.com:7520 for SSL.
Another app on the server might get 7521, etc. The assignment is only
while the app is running. If the app is killed off that server, the
port is freed up for another app. So, as long as you have a larger
block of potential IP addresses than the number of apps running
simultaneously on a server, you should be fine (and there should be
plenty of available ports).
One disadvantage of this is that the special port will require a
special redirect, but I think that's manageable.
On Oct 16, 3:03 pm, "Marzia Niccolai" <ma...@google.com> wrote:
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
> <http://en.wikipedia.org/wiki/Server_Name_Indication>SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), which provides a
to dynamically assign a port for SSL for each app. So, I've got www.myapp.com
and when my app is started up, you assign www.myapp.com:7520 for SSL.
Another app on the server might get 7521, etc. The assignment is only
while the app is running. If the app is killed off that server, the
port is freed up for another app. So, as long as you have a larger
block of potential IP addresses than the number of apps running
simultaneously on a server, you should be fine (and there should be
plenty of available ports).
One disadvantage of this is that the special port will require a
special redirect, but I think that's manageable.
On Oct 16, 3:03 pm, "Marzia Niccolai" <ma...@google.com> wrote:
> You may be wondering why we're only supporting appspot.com right now, and
> not arbitrary Google Apps domains. This has to do with fundamental
> limitations in the SSL protocol (see:http://en.wikipedia.org/wiki/Https#Limitations). We're currently
> investigating workarounds for this using e.g.
Roy Leban
Oct 19, 2008, 2:21:47 AM10/19/08
to Google App Engine
> I wonder if another workaround for the IP-based limitations of SSL is
> to dynamically assign a port for SSL for each app....
Oh, and you could potentially support Server Name Indication for newer
clients and dynamic ports for older clients. A big advantage of all of
us running on GAE is that you can deal with the hassle once and all
the apps can take advantage of it.
Marzia Niccolai
Oct 20, 2008, 12:53:38 PM10/20/08
to google-a...@googlegroups.com
You must have the 1.1.5 version of the SDK to use the 'secure' argument in your app.yaml.
-Marzia
-Marzia
Filip
Oct 20, 2008, 2:47:50 PM10/20/08
to Google App Engine
Thanks for this!
Looking forward to SNI on arbitrary domain names, but this will solve
the problem for now, and it makes a really big difference.
Filip.
Looking forward to SNI on arbitrary domain names, but this will solve
the problem for now, and it makes a really big difference.
Filip.
cb
Oct 21, 2008, 8:23:34 PM10/21/08
to Google App Engine
Really great news.
Reply all
Reply to author
Forward
0 new messages