英文:
Can I avoid Google App Engine instances from being undesirably created?
问题
I am currently running a Flask web application (Dash to be more precise) on Google App Engine (Standard Environment) as a service. For the moment I have a custom login/logout page and I am handling user sessions with Flask-Login. I am using Flask-Login to serve content based on the currently authenticated user as well as maintaining the current user's session active.
My App Engine service is configured to automatically scale up and down based on traffic and I would like to avoid instances being undesirably created (for instances by DDOS attacks). I already know that:
> App Engine sits behind the Google Front End which mitigates and
> absorbs many Layer 4 and below attacks, [...]
as per an official documentation from Google: link. Moreover, I am aware, again citing the same documentation, that:
> Currently, [Google Compute Engine API] projects are limited to an API rate limit of 20 requests/second.
which can mitigate to some extent a DDOS attack (App Engine actually uses Google Compute Engine unless I am mistaken).
I am looking for a solution that would involve a third-party (or Google) application that would act as a middleman between the user and the application. It would basically handle the sign-in part and redirect the user to my web application in case of successful login while protecting my website from being accessed by mistake (e.g. crawlers) and thus avoiding my instances from being created.
Does such an application exist? I am looking into SSO providers that support a login/logout protocol such as SAML or OpenID Connect (Firebase is a good candidate for instance) but I am unsure if this solution would avoid my instances from being created undesirably. Finally, I also do not want to have to whitelist users based on their IP address.
英文:
I am currently running a Flask web application (Dash to be more precise) on Google App Engine (Standard Environment) as a service. For the moment I have a custom login/logout page and I am handling user sessions with Flask-Login. I am using Flask-Login to serve content based on the currently authenticated user as well as maintaining the current user's session active.
My App Engine service is configured to automatically scale up and down based on traffic and I would like to avoid instances being undesirably created (for instances by DDOS attacks). I already know that:
> App Engine sits behind the Google Front End which mitigates and
> absorbs many Layer 4 and below attacks, [...]
as per an official documentation from Google: link. Moreover, I am aware, again citing the same documentation, that:
> Currently, [Google Compute Engine API] projects are limited to an API rate limit of 20 requests/second.
which can mitigate to some extent a DDOS attack (App Engine actually uses Google Compute Engine unless I am mistaken).
I am looking for a solution that would involve a third-party (or Google) application that would act as a middleman between the user and the application. It would basically handle the sign-in part and redirect the user to my web application in case of successful login while protecting my website from being accessed by mistake (e.g. crawlers) and thus avoiding my instances from being created.
Does such an application exist? I am looking into SSO providers that support a login/logout protocol such as SAML or OpenID Connect (Firebase is a good candidate for instance) but I am unsure if this solution would avoid my instances from being created undesirably. Finally, I also do not want to have to whitelist users based on their IP address.
答案1
得分: 2
-
你基本上是在寻找一个可以阻止“特定流量”,如机器人、网络爬虫、恶意行为者访问您的网站的解决方案。
-
查看此 Stack Overflow 回答是否有帮助。请注意,该解决方案提到的 Cloud Load Balancing 和 Google Cloud Armor 都是付费服务。
-
Google App Engine 的解决方案是使用防火墙(它是免费的)。您可以指定 IP 或 IP 范围以及一个操作(允许或拒绝)。Google 云将根据规则匹配所有传入的流量。如果找到匹配项并且操作是拒绝,流量将被丢弃,不会到达您的实例(这意味着不会创建新实例来提供此类流量)。这实际上是一个黑名单,而不是您提到的白名单。
**注意:**每个新的 Google App Engine 都有一个默认的防火墙规则,允许所有流量。
-
我假设 Google 已经阻止了已知的恶意行为者列表(这仅仅是我的猜测),然后让您通过防火墙规则来处理其他流量。防火墙的当前设计要求您手动查看日志并识别机器人/垃圾邮件/网络爬虫等流量,然后手动创建相应的防火墙规则。另一个挑战是这些机器人/垃圾邮件/网络爬虫经常更改其 IP。但您可能会很幸运,只有一小部分恶意行为者访问您的站点,因此可以快速创建防火墙规则来阻止这些 IP。
-
您应该寻找能够自动化前面一步的解决方案。我们的网站也面临这个挑战,我们建立了一个解决方案,可以半自动化此过程。我们目前正在开发一个桌面应用程序,可以实现完全自动化(您设置一个计划,它将解析您的日志,识别垃圾邮件/机器人等,创建防火墙规则)。如果您想在准备就绪时收到通知,可以在这里注册。
附言: 我有时候会使用将我的服务的关键部分放在不直观的路径之后的技巧。这样,垃圾邮件/机器人只会命中默认/基本 URL 和常见路径,然后我有一个单独的服务,对这些 URL 的所有请求返回 404。这最多只是一种权宜之计。
英文:
-
You're basically looking for a solution that will block 'certain traffic' like bots, crawlers, bad actors from reaching your website.
-
See if this SO response helps. Note that both Cloud Load Balancing and Google Cloud Armor mentioned in that solution are paid services.
-
Google App Engine solution for this is Firewall (it's free). You specify IPs or range of IPs and an action (ALLOW or DENY). Google cloud will match all incoming traffic against the rules. If it finds a match and if the action is DENY, the traffic will be dropped and it won't reach your instance (this means new instances won't be created to serve such traffic). This is essentially a blacklist rather than a whitelist which you mentioned.
Note: Every new Google App Engine has a default firewall rule which allows all traffic
-
I assume Google already blocks known list of bad actors (this is just an assumption on my part) and leaves you to handle the rest via Firewall rules. The current design of firewall requires you to manually go through your logs and identify traffic that are bots/spam/crawlers and then manually create a firewall rule against those IPs. The other challenge is that these bots/spam/crawlers frequently change their IPs too. But you might be lucky and you only have a small set of bad actors visiting your site and so can quickly create firewall rules blocking these IPs.
-
You should search for solutions that allow you to automate the previous step. We also face this challenge for our site and built a solution that allows us to semi-automate this. We're currently working on a desktop app that will allow for a full automation (you set a schedule, it will parse your logs, identify spam/bot/etc, create the firewall rule). If you'd like to be notified when this is ready, you can sign up here
PS: A trick I sometimes use is to put key parts of my service behind a non-intuitive path. This way, the spam/bots will only hit the default/base url & common paths and then I have a separate service which returns 404 for all calls to those urls. This is at best just a band-aid.
答案2
得分: 1
Google Cloud有一个名为Web安全扫描器的扫描工具,该扫描器用于识别您的App Engine、GKE和Compute Engine Web应用程序中的常见安全风险。您可以查看这个Web安全扫描器概览
>重要提示:Web安全扫描器托管扫描仅适用于Security Command Center高级版。
您还可以查看有关云应用程序的SSO的附加信息。
如果上述文档无法解决您的问题,您可以联系Google Cloud Identity帮助
希望对您有所帮助。
英文:
Google Cloud has a scanner called Web Security Scanner this scanner works on indentifiying common security risk in your App Engine, GKE, and Compute Engine web applications. You can check out this Overview of Web Security Scanner
>Important Note: Web Security Scanner managed scans are available only for Security Command Center Premium tier.
You may also check this additional information for SSO for Cloud Applications.
If the aforementioned documentations didn't work, you may reach out to the Google Cloud Identity Help
Hope it helps
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论