Appengine - How to allow request only coming from my domain?

Question

I see some requests in the logs coming from unknown sources.

So how I could prevent all requests except the ones coming from my appspot domain?

Note: This is on appengine, which there is no server from my end to manage, you just upload your app code and they take care of the rest.

Possible duplicate of Apache: Scammers point dozens of domain names at my dedicated IP. How to prevent this? — Andrew Schulman, Jan 27 '18 at 18:05
@AndrewSchulman Doesn't sound like a duplicate to me. Apache and App Engine are not the same thing. — kasperd, Jan 27 '18 at 19:49
Exactly. I don't have any kind of server to manage, I just upload the code. — Marwan, Jan 27 '18 at 21:08
Could you clarify what exactly you are trying to restrict? Do you want to block access to a specific service and have it only be accessible by other services, or do you want your App Engine application to only be accessible by another specific App Engine application? — Yannick MG, Jan 30 '18 at 23:41
@YannickMG I want to allow http requests from just one domain (my domain), any requests else should be blocked. — Marwan, Feb 01 '18 at 11:58

score 0 · Answer 1 · answered Feb 01 '18 at 22:53

0

Having control over access to your App Engine app, I recommend that you set up firewall(s) and apply rules and priority to structure it as an ordered list. You could allow only traffic from a specific service by creating firewall rules to deny all requests except those that are forwarded from your specific service.

You could make use of the request header X-Appengine-Inbound-Appid to identify the App Engine app that is making a request to your App Engine app. URLFetch service adds the unmodifiable header to the request, so that you can obtain the application’s ID safely.

answered Feb 01 '18 at 22:53

Katayoon

176
4

Thanks for your response. I guess checking that header will do what I want, but I was hoping to do it from appengine itself rather than from the application level. – Marwan Feb 03 '18 at 09:27
You say you want to allow http requests from just one domain. Is that domain the application itself, or the domain of another App Engine application you control? Could you clarify the exact scenario you mean? – Katayoon Feb 05 '18 at 20:44
The application itself. I don't have multiple apps. I want to allow that and prevent any requests coming from other apps, curl, postman, etc... – Marwan Feb 06 '18 at 17:30
Applying firewall rules (filters), you could prevent any request coming from anywhere as well. – Katayoon Feb 06 '18 at 20:52
Filters works on IPs, not domains. Every client visiting my domain will have a different IP. – Marwan Feb 07 '18 at 14:19
1

I recommend to take a look at this thread which seems to be related to your question. – Katayoon Oct 19 '18 at 21:51

Appengine - How to allow request only coming from my domain?

1 Answers1