13

I have a static website hosted in Firebase. I can attach a custom domain to it fine. I would like to restrict access to my site to a certain range of IPs.

I am aware that in GCP Google Cloud Armor can do this. But Cloud Armor only works with a Load Balancer and the load balancer routes traffic only to GCP VMs.(not to a Firebase hosted site)

In AWS, there is a Web Application Firewall that lets you do IP Filtering.

I see GCP has provided links to 3rd Party partners here: https://cloud.google.com/security/partners/

But my question is what is the best and easiest way to whitelist IPs for a static website hosted in Firebase?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Blitz Blitz
  • 143
  • 1
  • 1
  • 4

2 Answers2

3

Web sites on Firebase Hosting are accessible to everyone. There is no way to block certain users, or IP ranges, from accessing them

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 4
    Frank thanks for answering. Don't you think this is a serious shortcoming? Enterprises would like to restrict access to internal apps to only employees and consultants from a corporate network. While FB hosting is very convenient way to get up and running I can see this shortcoming being a serious stumbling block for internally accessible apps. – Blitz Blitz Apr 01 '19 at 14:35
  • If IP whitelisting is a requirement for your project, Firebase Hosting may not be a good fit. We're always looking how we can improve our products, so I'd recommend you [file a feature request](https://firebase.google.com/support/contact/bugs-features/). – Frank van Puffelen Apr 01 '19 at 14:55
  • Thanks. I opened a feature request and received a response from Firebase team acknowledging that this would be a good feature to have and that they will look into implementing it in the near future. – Blitz Blitz Apr 02 '19 at 02:30
  • Good to hear. For the moment though, my answer is the correct answer: there is no way to restrict access to assets on Firebase Hosting. – Frank van Puffelen Apr 02 '19 at 03:00
  • 3
    @FrankvanPuffelen the problem is that staging/production might be a good choice with Firebase, but if you cannot make a somewhat restricted hosting for "test", then I think many will completely rethink the hosting - they don't wanna be hosting different environments on different providers. I guess we can write a function to check ip – Spock Jan 17 '20 at 13:54
  • 3
    I agree with @Spock. It's quite bothering to NOT be able to whitelist a range of IPs for all testing environments. It's a quite known technique for AWS to be able to do just that. It's a pitty that in 2020, Firebase doesn't provide a system to replicate this. Same thing for tracking the locale, with hosting config alone. Again, the workaround is to trigger a function, but it hearts performances + can be money consuming. It doesn't change the fact that I love Firebase and the whole stack. But it still misses some 'basic' features. Hope they can give us ETA for those very soon :)! – Johan Chouquet Mar 02 '20 at 15:36
2

Because Firebase is PaaS service, there is no such thing like firewall. By Firebase launch checklist

There are only two kind of protection you can do:

Protect By Authenication

Add whitelisting for your domains to prevent unauthorized usage.

  • Whitelist your production domain for browser API keys and client IDs in the Google Developer Console.
  • Whitelist your production domain in the Auth tab of the Firebase console panel.

Protect your data

Because any client can connect to any Firebase, you must write security rules to secure your data.So according to this document Firebase security, it will show you how to secure your web by secure who can access database.

This blog Firebase Security & Rules is also a good reference to learn how to secure your Firebase.

Hope this will help you

howie
  • 2,587
  • 3
  • 27
  • 43
  • Howie thanks for the response. I'm curious to learn about the first option. Can you point me to some resources? I think it might be a roundabout way to achieve what I'm looking for. Thanks – Blitz Blitz Apr 01 '19 at 14:41
  • 1
    Visit https://console.firebase.google.com/ Select your application and Goto Left menu "Auth" Select Tab "SIGN IN METHOD" Add your domain in "OAuth redirect domains" – howie Apr 01 '19 at 22:37
  • Ahh! - No thats not what i am looking for. Thank you for responding though. I opened a Feature Request with FB and they responded that this feature is indeed not currently available but will be implmented soon. – Blitz Blitz Apr 02 '19 at 02:37
  • 2020 and I think it's still not implemented, or am I missing something? – Spock Apr 22 '20 at 08:53
  • Even more frustrating as App Engine has had this capability for ages https://cloud.google.com/appengine/docs/flexible/nodejs/creating-firewalls – Mike Jul 21 '21 at 10:12