google-app-enginegoogle-cloud-platformfirewallapp-engine-flexible

GCP App Engine Firewall Rules Failing For Custom Domain


My goal is to limit access to my App Engine Service to my home office IP. I have configured the App Engine Firewall with allow rules for both my IPv4 and IPv6 addresses, and set the default rule to deny.

This works when browsing my application using the unique appspot.com address assigned to my app. But attempting to access my application using the custom domain I have configured for App Engine, is resulting in a 403.

I have further verified that the rules are working as intended on the appspot.com domain. Anything that isn't in my allow list is getting the 403 as intended.

This tells me that my rules are "working," but I am unable to find any reference as to why this would not influence access to my application through the configured custom domain.

Note: when the default rule is set to allow, my application does work using the custom domain, so I am certain that configuration is sound.

Are custom domains simply beyond the scope of App Engine's Firewall? I was hoping to avoid digging into the VPC configuration for now.

Firewall Rules Firewall Rules Screenshot

Custom Domain Config Custom Domain Config

Edit: Log shows my IPv6 IP address as the requesting IP when tailing the log:

  {
  "entries": [
    {
      "insertId": "dlpqxpfa090t8",
      "jsonPayload": {
        "appLatencySeconds": "0.011",
        "trace": "b7f63eb3d2fb4c52480253c224821a23",
        "latencySeconds": "0.011"
      },
      "httpRequest": {
        "requestMethod": "GET",
        "requestUrl": "/users/kind/add",
        "status": 200,
        "responseSize": "4810",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36",
        "remoteIp": "2600:****:****:****:****:****:****:9936",
        "referer": "https://f******s.e******t.com/users",
        "latency": "0.011s",
        "protocol": "HTTP/1.1"
      },
      "resource": {
        "type": "gae_app",
        "labels": {
          "zone": "",
          "project_id": "f*******s",
          "version_id": "20220801t212517",
          "module_id": "default"
        }
      },
      "timestamp": "2022-08-09T22:11:33.869Z",
      "labels": {
        "appengine.googleapis.com/trace_id": "b*****************a23",
        "appengine.googleapis.com/instance_name": "aef-default-2*********7-770v",
        "compute.googleapis.com/resource_name": "0**********3",
        "compute.googleapis.com/resource_id": "21*********29",
        "compute.googleapis.com/zone": "********"
      },
      "logName": "projects/f********s/logs/appengine.googleapis.com%2Fnginx.request",
      "trace": "projects/f*********s/traces/b7f63eb3d2fb4c52480253c224821a23",
      "receiveTimestamp": "2022-08-09T22:11:38.104875464Z"
    }
  ]
}

Edit 2: As suggested in the comments, I tried hitting a URL w/ curl. Below is the result:

Microsoft Windows [Version 10.0.22000.856]
(c) Microsoft Corporation. All rights reserved.

C:\Users\shawn>curl
curl: try 'curl --help' for more information

C:\Users\shawn>curl https://f*****s.e*******t.com/index

    <html><head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>403 Forbidden</title>
    </head>
    <body text=#000000 bgcolor=#ffffff>
    <h1>Error: Forbidden</h1>
    <h2>Access is forbidden.</h2>
    <h2></h2>
    <script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"738c818088a17d62","version":"2022.6.0","r":1,"token":"c070c2d4c5ad48d18815371af21d9e80","si":100}' crossorigin="anonymous"></script>
    </body></html>
    
    C:\Users\shawn>

NOTE: I thought I was on to something with IPv6 being the culprit, but I've since disabled IPv6 completely and https://whatismyipaddress.com/ is showing that I'm not broadcasting an IPv6 address any longer. Still no dice.


Solution

  • Cloudflare Proxied CNAME strikes again. Turning off this feature in Cloudflare for the CNAME pointing at ghs.googlehosted.com resolved the issue after about 5 minutes.