0

When using a custom domain with a Google generated security certificate, how do I get http requests to redirect to the https?

I tried setting the Django property SECURE_SSL_REDIRECT to True in settings, but that didn't work.

Edit: Yes, this question already exists, but the solution only works with Python2.

SOLUTION: For my purposes, the solution was simply to switch from the Appengine Flexible environment to the Appengine Standard environment. I solved my SSL issues with the following app.yaml.

runtime: python37
entrypoint: gunicorn -b :$PORT <django-project-name>.wsgi

handlers:
  - url: /.*
    secure: always
    redirect_http_response_code: 301
    script: auto

beta_settings:
  cloud_sql_instances: "<project-id>:<region>:<cloud-sql-instance>"
Nicholas Johnson
  • 31
  • 7

1 Answers1

3

After a bit of guess and check, I stumbled onto a solution.

Don't use the SECURE_SSL_REDIRECT Django setting. Instead, update your app.yaml to include secure:always, but also ensure that the entrypoint is set, url is set to /.*, and script is set to auto.

Despite Google documentation explicitly saying that the handlers section is deprecated, testing app deploys with and without the handlers section reveal that, as of today, GAE does reference the handlers section of the app.yaml.

Edit: Found this that clearly shows handlers in Python 3.7 app.yaml - https://cloud.google.com/appengine/docs/standard/python3/config/appref#handlers_element

app.yaml

runtime: python
env: flex
entrypoint: gunicorn -b :$PORT <projectid>.wsgi

handlers:
  - url: /.*
    secure: always
    script: auto

beta_settings:
    cloud_sql_instances: "<projectid>:<dbregion>:<dbinstance>"

runtime_config:
  python_version: 3

After having more issues, despite the documentation saying handlers would work, I have switched to the Appengine Standard environment, and it is working perfectly.

runtime: python37
entrypoint: gunicorn -b :$PORT <django-project-name>.wsgi

handlers:
  - url: /.*
    secure: always
    redirect_http_response_code: 301
    script: auto

beta_settings:
  cloud_sql_instances: "<project-id>:<region>:<cloud-sql-instance>"
Dan Cornilescu
  • 39,470
  • 12
  • 57
  • 97
Nicholas Johnson
  • 31
  • 7
  • `handlers` aren't (supposed to be) working in flex env, see https://stackoverflow.com/questions/50654961/correctly-assign-https-only-custom-domain-to-flex-env/50661513#50661513. – Dan Cornilescu Feb 22 '19 at 19:21
  • This is my currently working app.yaml, so I'd say it is working. – Nicholas Johnson Feb 22 '19 at 19:22
  • You may be doing it from your app, see https://stackoverflow.com/questions/41944776/force-ssl-on-app-engine-flexible-environment-custom-runtime (and that's from a Google guy) – Dan Cornilescu Feb 22 '19 at 19:24
  • Okay, I see what you're saying, but I completely removed the django setting to redirect to secure. The only change between my working commit and my non-working commit is the `handlers: -url: /.* secure: always script: auto` – Nicholas Johnson Feb 22 '19 at 19:31
  • one way to check - just take the handlers out and see if it still works... – Dan Cornilescu Feb 22 '19 at 20:00
  • 1
    I just commented the handlers section out completely and ran `gcloud app deploy`. Then on a different machine that I haven't accessed the site on, I checked the appspot URL and the custom domain - both say "Not Secure" in the address bar. I uncommented the handlers section deployed again, checked from a third computer, and both now automatically to to https. With this testing, I'm confident that GAE Python 3 Flex is referencing `secure:always` from the app.yaml. – Nicholas Johnson Feb 22 '19 at 20:16
  • Dan, have you seen this link? Thoughts? [app.yaml](https://cloud.google.com/appengine/docs/standard/python3/config/appref) – Nicholas Johnson Feb 25 '19 at 14:20
  • Yup, that's the +1;) It's possible that they're working on aligning the environments from this perspective - it would make sense IMHO. But without it documented and released YMMV. – Dan Cornilescu Feb 25 '19 at 15:58
  • Nice catch - now it's documented :) – Dan Cornilescu Mar 01 '19 at 20:09