0

We are running an App Engine Flexible app behind with Fastly (CDN) on the front. We have set up ghs.googlehosted.com as the origin server, so the CDN forwards the request to that server if it doesn't have the cached version. This has been running fine for months.

However, we want now to ensure Fastly connects to the origin (ghs.googlehosted.com) over TLS. It seems ghs.googlehosted.com does not support TLS. Any ideas of how to overcome this situation?

Alex
  • 1,021
  • 3
  • 10
  • 16
  • Shouldn't you set the origin to *your* app's URL instead of `ghs.googlehosted.com` (which serves **all** GAE apps, not only yours)? Also how did you reach the conclusion that TLS is not supported? – Dan Cornilescu May 13 '18 at 17:45
  • It doesn't seem to work if I use myapp.appspot.com as the origin. Google provides `ghs.googlehosted.com` as the CNAME to add, so I used that one and it works when TLS is disabled. TLS doesn't seem to work - I've checked with `openssl s_client -connect ghs.googlehosted.com:443` – Alex May 13 '18 at 22:11
  • Have you tried the same with your app's hostname? For mine it shows TLSV1.2 – Dan Cornilescu May 14 '18 at 01:23
  • Yes. Unfortunately, I get a 404 – Alex May 14 '18 at 07:56
  • It seems the issue is related to the use of the HTTP `Host` header. You get a 404 when you use this header with `myapp.appspot.com` – Alex May 15 '18 at 12:25

1 Answers1

2

So far, this is what we have found out when choosing the origin host of our CDN (Fastly):

  • myapp.appspot.com: Supports TLS but requires the Host HTTP header to be exactly myapp.appspot.com. Therefore, the Host header needs to be overridden.
  • ghs.googlehosted.com: Does not support TLS, but accepts any Host HTTP header, so you can use any of your App Engine custom domains.

More info in this thread in the App Engine group.

Edit: I was missing sending the SNI in the request. Now it works well with ghs.googlehosted.com and TLS.

Alex
  • 1,021
  • 3
  • 10
  • 16