CloudFlare https traffic blocked?

[Owen Wiggins]

Hi,

We're trying CloudFlare to tide us over until Google enables SSL for custom domains. I'm open to suggestions, but so far this seems to be the simplest solution to get ready for Facebook's October 1st https requirement for canvas applications.

For some reason, it seems traffic is being blocked when coming through CloudFlare over port 443. Going directly to our appspot domain works fine. The folks at CloudFlare don't seem to be aware of any issues - is anyone here able to confirm whether this still works, or perhaps even give a better alternative (for various reasons, Facebook must be pointing to our custom domain)?

Thanks,

Owen Wiggins

Co-Founder, Inspirado Games

[Brandon Wirtz]

Google Blocks CloudFlare when Flare starts to look like a DDoS Because they didn’t implement their Proxy Headers correctly…

 

I think I mentioned Sadness in my last response about using them.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/3GJGNZEq3PsJ.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

[Owen Wiggins]

Thank you for your quick reply, Brandon!

I believe CloudFlare uses the "industry standard X-Forwarded-For header": http://code.google.com/appengine/forum/?place=msg%2Fgoogle-appengine%2F4D1IGqCh4LA%2FrguR4Zqtj08J

We're not seeing excessive traffic this week either - not sure what would be considered a possible DDoS by Google, though. Regardless, I'm really in a tough spot here and would love an alternative if anyone can suggest something. I'm sure many other developers are in a similar position...

[Brandon Wirtz]

No, they say that, but many of their headers have private IP ranges, reciprocal IP’s, and other issues.  They have a hacked together product running on borrowed infrastructure, I make a LOT of money cleaning up after them.

 

And I feel bad because most the people who end up getting burned by them can’t afford it.

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/cRtKFojKcBMJ.

[Owen Wiggins]

Thanks, Brandon. What I'm really after is a definitive answer on whether there's an issue on the AppEngine side. I'm currently working with CloudFlare support to resolve the issue.

However, the $22 I've spent doesn't have me committed either way - I'm open to any solutions or alternatives. The only reason I'm trying CloudFlare is to get SSL working until Google has a permanent solution ready.

[Brandon Wirtz]

CF always blames GAE, but none of my sites that are proxied have this issue because My headers are “right”.

 

BTW Using CF as your SSL Solution opens a Whole host of issues, because of who you share resources with and CFs Less then optimal policies on security.

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Owen Wiggins
Sent: Saturday, September 24, 2011 9:19 PM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] CloudFlare https traffic blocked?

 

Thanks, Brandon. What I'm really after is a definitive answer on whether there's an issue on the AppEngine side. I'm currently working with CloudFlare support to resolve the issue.

 

However, the $22 I've spent doesn't have me committed either way - I'm open to any solutions or alternatives. The only reason I'm trying CloudFlare is to get SSL working until Google has a permanent solution ready.

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/KK75kBAyEloJ.

[Owen Wiggins]

Currently, CloudFlare is not placing blame anywhere - I'm investigating issues on AppEngine's end of my own accord. What is your top pick for an alternative to CloudFlare? It seems like you have a lot of experience with these issues. Thanks!

[John Roberts]

I work at CloudFlare. Brandon, you spout a lot of incorrect information about CloudFlare. Care to state your affiliations, so readers can understand a bit more context?

CloudFlare operates at large scale, with our own hardware, operating our own network, delivering more than 15 billion pageviews/month for more than 100,000 websites, and continuing to grow quickly.

John Roberts

first name at cloudflare dot com

[Brandon Wirtz]

It’s more a question of what you can do with your budget.  There isn’t an alternative  to CF in any comparable Price range, which is why they do so much damage.  It’s them or something like Akamai at $22k a month, or roll your own using Squid and either a Could service or dedicated hardware at multiple POPs

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Owen Wiggins
Sent: Saturday, September 24, 2011 9:43 PM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] CloudFlare https traffic blocked?

 

Currently, CloudFlare is not placing blame anywhere - I'm investigating issues on AppEngine's end of my own accord. What is your top pick for an alternative to CloudFlare? It seems like you have a lot of experience with these issues. Thanks!

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/zbsO901EWzMJ.

[Kaan Soral]

Why don't you just put https://*.appspot address to the Facebook
settings?

Why do you need to use Cloud Flare?

[Brandon Wirtz]

It's hard to change the address in your Facebook app later, you'd be pretty
tied to GAE. It's not impossible, but personally I'd build around something
I could change rather than getting locked in.

--

You received this message because you are subscribed to the Google Groups
"Google App Engine" group.

[Owen Wiggins]

Hi Kaan,

In addition to what Brandon said, we have other reasons that would make switching to the appspot domain impossible in the short term.

We've been running CloudFlare on non-SSL traffic without incident for two weeks, so I have some confidence that once we can figure out the SSL issues it will be a decent short-term solution until Google gets SSL on custom domains working. I've noted Brandon's concerns here and in the other threads and will continue to closely monitor for problems.

Brandon - Unfortunately, the net cost and risk involved with those suggestions far outweigh the risks as I currently perceive them with CloudFlare. Obviously, if we can't get CloudFlare to work for SSL traffic or we see serious issues down the road, we'll have to take a look at all alternatives and your suggestions were useful in that respect.

I'm still not certain where the exact problem lies, but I'll be sure to update this thread with anything I discover. A definitive answer from an AppEngine representative would be ideal. Thank you for the suggestions!

[Owen Wiggins]

It took a few weeks, but the answer from CloudFlare is: "GAE has apparently closed the port(s) in question & we will search for an alternative solution."

Fortunately, Dmitry Ulupov at http://wwwizer.com has launched his SSL solution and got us up and running in about a day. I can't attest to the reliability since we haven't been using it for long, but it's worth a shot for those still looking for a solution.

[Brandon Wirtz]

I suspect they will be OK as long as you don’t get too big too fast.

 

I would have gone with Squid running on Amazon, a new scares me when you are looking at using it for secure stuff.

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Owen Wiggins
Sent: Thursday, October 13, 2011 10:29 PM
To: google-a...@googlegroups.com
Subject: [google-appengine] Re: CloudFlare https traffic blocked?

 

It took a few weeks, but the answer from CloudFlare is: "GAE has apparently closed the port(s) in question & we will search for an alternative solution."

 

Fortunately, Dmitry Ulupov at http://wwwizer.com has launched his SSL solution and got us up and running in about a day. I can't attest to the reliability since we haven't been using it for long, but it's worth a shot for those still looking for a solution.

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/r4olIDEKmt0J.