Is there a way to block HTTP on GCP AppEngine

Question

I am trying to find how to block HTTP access from GCP AppEngine, not finding many details out there. I feel that it may not possible.

Can someone shed some light on this - Via code or network setting?

Answer 1

For those encountering this issue and seeking a quick solution, you can leverage the X-Forwarded-Proto header provided by the default Google App Engine (GAE) proxy to determine the original protocol (HTTP or HTTPS) used by the client.

X-Forwarded-Proto [http | https] Shows http or https based on the protocol the client used to connect to your application. The Google Cloud Load Balancer terminates all https connections, and then forwards traffic to App Engine instances over http. For example, if a user requests access to your site via https://PROJECT_ID.REGION_ID.r.appspot.com, the X- Forwarded-Proto header value is https.

GAE Specific headers

In fact, you can implement a filter in your application to block all requests where the X-Forwarded-Proto header has a value of http. This ensures that only HTTPS requests are processed, effectively blocking any insecure HTTP traffic at the application level, while allowing secure traffic routed through the Google App Engine (GAE) proxy.

Ensure that the secure variable in the app.yaml handlers is set to optional, otherwise App Engine will automatically redirect incoming requests to either HTTP or HTTPS based on its value. Its default value is optional

Answer 2

As I understand, there is not possible to block the Http access in App Engine. You can redirect http to https traffic using the secure handler implemented in App engine Standard.

For App Engine Flex, regarding blocking the port 80 alternative, you can implement a Compute VM's and set a firewall rule and then redirect to App Engine.

Lastly, keep in mind that in the App Engine Firewall you need to specify the IP ranges that you want to allow or deny, it's not possible deny actual ports.