Forward requested subdomain/host from GCP Load Balancer to Cloud Run

Question

I have an Express app used by several companies. Each company has its own subdomain to call the app api, such as company1.mydomain.com, company2.mydomain.com. In Express we read the value of the subdomain to determine the custom operation that we have to do for that company.

We are moving this app to GCP using Cloud Run with a GCP Load Balancer, setting all subdomains on the latter. We are now trying to read the subdomain but it contains the subdomain value of the Cloud Run URL (xxxxx.a.run.app). We are trying to figure out how to get the subdomain the user is requesting (the one configured in the Load Balancer) but that value doesn't seem to be forwarded to Cloud RUN.

Are there any settings that we are missing or something that help us to read the subdomain value from Cloud Run?

PD: We tried using Load Balancer's Custom Header but there is no option related to subdomain value

PD2: We also tried checking the other headers (including the X-Somethingxx GCP headers) and found nothing

Did you inspect the headers? Do you have the `x-forwarded-host` header value? — guillaume blaquiere, Feb 05 '21 at 17:14
@guillaumeblaquiere No, I don't have it. The `x-` Headers that I can see are: `x-cloud-trace-context`, `x-forwarded-for`, `x-forwarded-proto` and `x-request-id`. None of them contains the subdomain — Sebastian Sanchez, Feb 05 '21 at 18:21
@guillaumeblaquiere Yes. We have an HTTPS LB and HTTP LB redirecting to HTTPS. — Sebastian Sanchez, Feb 05 '21 at 21:17

score 2 · Answer 1 · answered Feb 05 '21 at 21:52

2

I found a solution. It's based on a recent article that I wrote.

The solution is:

Create a HTTPS load balancer
Define an internet NEG that call run.app
In the backend, use this NEG and add custom header host, with the value of the fully qualified URL of your Cloud Run service xxxxx.a.run.app (like described in my article)
Add another custom header (this one that you want, for example x-forwarded-host) with the value {tls_sni_hostname}

answered Feb 05 '21 at 21:52

guillaume blaquiere

66,369
2
47
76

I already did something similar using the `{tls_sni_hostname}` custom header. The problem with this value is that it is set in the handshake process and it keeps the same value until you need a new handshake for another certificate/url. So like I said in the original post, several companies and their customers use our api (`company1.mydomain.com` `company2.mydomain.com`).All subdomains use the same Certificate, so if a customer request `company1.mydomain.com` the SNI is set to that URL and if then the same customer call `company2.mydomain.com` the SNI will remain `company1.mydomain.com` – Sebastian Sanchez Feb 05 '21 at 22:26
That is because a new handshake is not required. This can be fixed using different certificates for each domain, but for us that is not feasible. That's what I understand about SNI, but I may be completely wrong – Sebastian Sanchez Feb 05 '21 at 22:27
I guess you use a wildcard certificate, correct? – guillaume blaquiere Feb 06 '21 at 12:35
Yes, we use a wildcard certificate – Sebastian Sanchez Feb 07 '21 at 18:06

Forward requested subdomain/host from GCP Load Balancer to Cloud Run

1 Answers1