I created a React app and deployed it to SAP Cloud Foundry using static build pack. I see that I can embed my web application route in any iframe on any domain. Any setting I need to do in the Cloud Foundry Application Space or in the manifest.yml. I need to basically limit iframe embedding and just whitelist few domains which can embed my app in an iframe.
I followed this link to create and deploy the basic app
https://blogs.sap.com/2020/07/23/deploy-your-reactjs-application-in-cloud-foundry/
I tried setting a few of the properties from below link in User-Defined Variables but that didn't help as well.
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/ba527058dc4d423a9e0a69ecc67f4593.html
The user-defined variables you mentioned work only, if you access your application via an application router (look here for information on how to set up the application router: Setting Up Your Own Application Router).
It appears to be default behavior of the application router to prevent embedding of pages in iframes: Disable X-FRAME-OPTIONS in SCP Portal Cloud Foundry
Related
I'm new to Cloud Composer and Airflow. I want to restrict access to airflow web UI with web server access control. Also I need to know the static public IP address of the Airflow Web UI.
Example Airflow UI link:
https://example-dot-region.composer.googleusercontent.com
I can't find it by pinging the airflow web UI link. How can I learn this?
There is no static IP for the Airflow UI. Following its architecture the Web UI is hosted in App Engine Flex, so it means the app will be served by any IP that is part of the Google Front End.
In general you could make App Engine Flex have a static IP (using LB + NEG for example) but since it is inside a Service Project you cannot access or control that environment.
Cloud Composer is Google Cloud's offering of Apache Airflow, the workflow management platform.
Composer deploys the Airflow web server in an AppEngine instance, and thus the URL of the deployed webapp is non-customizable. As a service deployed in AppEngine, the host name of the URL ends in ".appspot.com", but has an automatically generated prefix, and is not easily predictable.
How can I assign a custom, easier to remember host name to point to this service?
In particular, there are firewall rules in place, so a firewall exception for *.appspot.com would be too wide.
You can try to get inspiration from my article and perform a similar thing, not with Cloud Run but with App Engine URL.
I mean:
Create an internet NEG to appsport.com
Add the host header equals to your Cloud Composer appspot URL.
Create your Load Balancer with the domain name that you want.
I didn't test; let me know if it's suitable and if it works for you.
I have an application deployed to google cloud app engine (flex environment).
The application consists of two parts: FrontEnd (Angular) and BackEnd(Spring boot).
Each one of these applications is deployed to a different service under the same app engine.
Is there any way to apply a firewall rule to the BackEnd service to deny all requests except the ones coming from the FrontEnd service?
Note: I have many services under the same app engine, so I need to apply the rule only to one service so that other services will not be affected.
There is no way to do that currently as the App Engine firewall will affect all your services, dispatch.yaml will not prevent clients from accessing your project using [project_name].appspot.com and adding network in app.yaml settings will only have effect in context of that network.
One workaround could be to set a different project and allowing access there only from another Google Cloud Project. Otherwise you can set checking authentication on the background instances using service accounts.
Is there a 'quick and dirty' way of funnelling calls to a web service via a certain IP address? Possibly in code (C#)?
I'm working on this Azure website (PaaS no VM) that's got it's own domain secured by SSL.
e.g. myapp.azurewebsites.net -> https://myapp.com
The system is using a 3rd party web service that uses whitelisted IPs for access control. Unfortunately they are not happy whitelisting the standard Azure egress IPs.
So what I need to do is find a way to call that web service via our own IP address (the one that came with the domain name package).
If possible, only that traffic, not all outgoing.
I've come across several solutions but I’d rather not want to compromise the stability of the production website by experimenting with App Service Environment.
I think the scenario being asked about is outbound calls from an app running on Azure App Service (aka Azure Websites), to an external endpoint.
In that scenario, the outbound calls from the web app are NAT'd using a pool of IP addresses allocated for the App Service scale unit that is running your app.
Using the "preview" portal (portal.azure.com), drill into the website blade for your app and click through "All settings" --> "Properties". In the properties blade that appears, there is a textbox called "OUTBOUND IP ADDRESSES". Those are the values you need to give to the third party provider to whitelist.
I'm planning to deploy geronimo based java app on CloudFoundry. I read the documentation that CloudFoundry assigns a port per application. Geronimo app have port numbers for app, admin and jmx monitoring.
is there any way we can request cloudfoundry to assign more than one port to each application and we can use these ports in different config in the codebase?
First just fyi, if you are deploying the app as a Java web app, CloudFoundry in the backend uses only Tomcat as the application server. Therefore for your case you need to deploy it as a standalone app with your own Geronimo runtime. http://blog.cloudfoundry.com/2012/05/11/running-standalone-web-applications-on-cloud-foundry/
CF apps get one IP and one port each, accessible via environment variables VCAP_APP_HOST and VCAP_APP_PORT. There isnt a way to assign explicitly. Ports an app listens to other than the port assigned will not be accessible through CF router.
If you are interested, my suggestion would be deploying multiple apps for each port(Geronimo function) you want to listen to. This would give you URL-based app, admin or jmx monitoring.