CNAME for Google Cloud Function API

jts · 2018-01-03 11:40:44 UTC

Hi all,

So I’m building a site for a startup idea. I’m trying to eke out the best performance on the lowest possible budget. Just found out about CloudFlare the other day and have been playing with it. So far so good! What they offer for free is pretty darn generous and awesome. Anyway, on to the issue:

I have an API endpoint which hits an external API and returns data to the frontend. Since this endpoint is used for validation of entries on a form, it needs to be public with no authentication. At the same time, I want it to only be used by legitimate entities (i.e. users filling out my form on the frontend). I put this endpoint up as a Google Cloud Function (GCF). This works pretty well, but as it’s an HTTP trigger, it leaves it wide open to anybody with the URL.

My idea was I can create a CNAME record for api.mysite.com -> https://url-of-actual-google-cloud-function.com/http and use firewall rules in Google to only allow requests from CloudFlare IP’s. I thought I could set it up so CloudFlare would transparently proxy the POST requests for api.mysite.com to my actual API endpoint and return results to the user. I have the CNAME record set up (api.mysite.com points to the GCF url without the trailing /http), but it’s not working quite right. Here’s what happens:

When I “orange cloud” it:

https://api.mysite.com -> 404 from Google
https://api.mysite.com/http -> 404 from Google
http://api.mysite.com -> redirects to https://api.mysite.com -> 404 from Google
http://api.mysite.com/http -> hits my endpoint, but browser url shows the redirect, hence leaking the url I wanted to hide. It would also break my idea of firewalling b/c requests would come directly from the client.

When I “gray cloud” it:

https://api.mysite.com -> I get a Firefox security warning saying cert is invalid. Digging into that, I see it’s hit Google and is saying the wildcard cert is not valid. If I add a security exception, it 404’s from Google
https://api.mysite.com/http -> security warning -> add exception -> 404 from Google
http://api.mysite.com -> redirects to https://api.mysite.com -> 404 from Google
http://api.mysite.com/http -> as before, hits my endpoint, but browser url shows the redirect

Is there something I’m doing wrong, or is the idea wrong even in theory? Is there a better way to do this? I have CORS enabled and configured to only allow mysite.com, but there’s nothing preventing someone using CURL or Postman and setting the origin header to mysite.com, so that seems like a bad strategy.

I’ve also thought of using an api key, but that’s only secure until people discover it in the frontend. I’ve also thought about a time-limited api key that would be stored in redis and checked for every request. This seems like it would work, but I wanted to know if there were commonly accepted ways of doing this first. Redis would also add processing time for each request, which is not ideal.

Thanks for reading. Would appreciate any feedback.

mjackson · 2018-01-04 19:25:52 UTC

AFAIK Google does not allow you to setup a CNAME that points to cloud functions. However, you can setup a proxy to your google cloud functions if you deploy your app with Firebase hosting. This will give you a URL like https://your-project.firebaseapp.com/http. Then, you can connect a custom domain to your Firebase app and you should be all set.

Hope that helps! LMK how it goes.

jts · 2018-01-04 20:22:15 UTC

AFAIK Google does not allow you to setup a CNAME that points to cloud functions.

Indeed, I was just coming to the same conclusion myself – I did a CNAME from api.mysite.com -> dynamic dns name -> application IP and that works, so “something on the Google side” was my guess. That’s a bummer. I wish I knew this earlier. Do you happen to have a link where they say that?

I appreciate the suggestion to deploy to Firebase hosting. I think for the time being though, I may just store my static assets on their Cloud Storage product per this, so I don’t get too dependent on their stack.

As for the APIs, now that my free compute will be totally unused, I’ll likely put them back on a Google Compute VM with a free static IP and create a CNAME record in CloudFlare to point to the VM. I can probably still use GCF to break up the APIs some more, e.g. API endpoint -> GCF to perform validation, API endpoint -> GCF to store form data to DB. i’m curious to see whether performance is any better doing that than simply using the VM itself for all API calls.

Thank you for the information about CNAME w/cloud functions, and for the Firebase links & info. You seem very knowledgeable, I’d really appreciate hearing any further opinions or suggestions you have!

eslamdemo · 2018-01-05 23:23:44 UTC

@mjackson hello,can you help me please in my request #1461997 ?

mjackson · 2018-01-06 00:17:41 UTC

@jts You’re welcome VM sounds like a great way to go for your needs.

Sorry @eslamdemo, but I don’t work for Cloudflare so I can’t help you with your support tickets.

eslamdemo · 2018-01-06 05:23:19 UTC

@mjackson never mind :), my question is how can i use Google Cdn while using Cloudflare
Do this is possilbe and how i can do that?
In the Dns settings i put my host Server IP as “iPv4 address”
Does this correct?
After added a record test shall i use the number “1” or any of this list
as CNAME ? Please help me through this process as i found that hard and there aren’t any good explain on the internet!

Don’t forget to see the attachment and thanks in advance.