Google App Engine Server IP adresses

Question

I'm migrating our system to the Google App Engine.

When our PDF generator needs a external resource (for example a picture) it does an internal HTTP request (where the request IP is different from the user IP). It then also starts an different session, so I cannot see if the user is logged. In order to give the right permissions, I need to check if the request comes from a server IP.

In the previous code I checked this trough the following code:

if($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR']) {
  return true;
}

But since $_SERVER['SERVER_ADDR'] is not available, this cannot be used.

In the new code I check this trough the following code:

$allowed_ips = array(
   '127.0.0.1',
   '8.35.201.100'
);

if(in_array($_SERVER['REMOTE_ADDR'], $allowed_ips)) { return true; }

The problem is; I do not know which IP addresses Google App Engine uses to do a internal request. I have found the IP address 8.35.201.100 as a server address, but are there more IP addresses or maybe ranges.

The Task Queues Google App Engine issues requests from the IP address 0.1.0.2 (https://developers.google.com/appengine/docs/php/taskqueue/overview-push#Task_Execution). Is this the same at the internal request.

Greets, Hendrik

Answer 1

I don't think AppEngine discloses IP addresses. AppEngine is a dynamic environment with instances spinning up and spinning down, there would be requests from different IPs as things change.

When you make HTTP requests from AppEngine, it does set a few header fields to mark that the request was from AppEngine. I think the AppId is included. Anyway here is the documentation on that.

https://developers.google.com/appengine/docs/php/urlfetch/#Request_Headers

From a security standpoint, anyone can just write fake HTTP headers. So I wouldn't rely on that as a means of authentication.