Set up TLS proxy for Google Cloud Endpoint APIs

Question

I have been viewing my Google App Engine endpoint APIs in the API explorer (localhost) without issues, now am getting this:

enter image description here

in full it says:

You are exploring an API that is described or served via HTTP instead of HTTPS. This is insecure and may be blocked by your browser. To fix this, set up a TLS proxy for your API. Alternatively, you can tell your browser to allow active content via HTTP at this site (on Chrome, click the shield in the URL bar), but this will not improve security or dismiss this message.

This is one of the API methods I have in my endpoint:

@ApiMethod(
        name = "insert",
        path = "movie",
        httpMethod = ApiMethod.HttpMethod.POST)
public Movie insert(Movie movie) throws UnauthorizedException {
    ...
}

Since I do not know what's causing this all of a sudden, I do not know what else to show.I've tried updating my browsers (Firefox, Opera, Chrome) with no luck.

I'm seeing this too all of a sudden. Would be great if the devserver allowed for an SSL cert. I'm happing creating my own self-signed cert and adding it to my trusted certs. Might make sense to look into this! :( — BK-, May 14 '15 at 16:12

JonathanK · Answer 1 · 2015-05-11T21:02:36.223

13

The same problem appeared to me today

For now if you are using chrome you can click on the shield icon on the right of the URL bar and click on something saying load scripts anyway and your API should appear.

Image: http://i.gyazo.com/f16a557c4b53c147f31067029d15c093.png

edited May 11 '15 at 21:02

answered May 11 '15 at 20:56

JonathanK

198
1
10

Thanks @JonathanK. While your answer gives me access to my api, it doesn't solve the problem of the error warning.A plus one is in order though. – Ojonugwa Jude Ochalifu May 11 '15 at 22:15
Thanks @JonathanK. While your answer gives me access to my api, it doesn't solve the problem of the error warning.A plus one is in order though. – Shridutt Kothari Sep 06 '15 at 05:44
Apparently there's no other solution so lets go with this for right now. – Shridutt Kothari Sep 06 '15 at 05:45

score 4 · Answer 2 · answered May 13 '15 at 02:25

4

You will likely want to use a browser-based workaround, such as the shield icon on Chrome. This was recently added to address a security vulnerability. Unfortunately, we are unable to do better than this. A colleague suggests that stunnel may be viable for setting up a TLS proxy, if you want to go that route.

answered May 13 '15 at 02:25

saiyr

2,575
1
11
13

Are you saying that we will keep seeing this fake security warning on localhost instances? That's really a pain in the *ss.. I expected it to be a temporary issue.. I'm working with cloud endpoints every single day, mostly localhost.. It's really not comfy programming like this.. :-( – Pega88 May 18 '15 at 14:48
Unfortunately, yes. I apologize for the inconvenience, but it is to fix a critical security vulnerability. If we were able to distribute a local version of explorer, then we wouldn't have to do that, but that is a very complicated solution. – saiyr May 18 '15 at 16:07
sounds fair, but do we have a guarantee that localhost endpoints will keep working in the future? for example, might a next update of Chrome browser not show the 'load unsafe script' anymore? – Pega88 May 18 '15 at 18:33
That's not something we're worried about, but I don't speak for the Chrome team. If that happens, we'll have to figure out another solution for local development. – saiyr May 18 '15 at 23:58
Hey Daniel, I found this SO thread which helps me a lot. When I start my dev session, I have a shortcut (the mac solution) to start chrome in a mode where it allows all unsafe scripts. Of course this should be used carefully, for me only to test Cloud Endpoints on localhost. Hope it helps some ppl around here! details are here: http://stackoverflow.com/questions/14058789/how-to-force-loading-dynamic-insecure-content-in-chrome – Pega88 May 20 '15 at 13:49

Set up TLS proxy for Google Cloud Endpoint APIs

2 Answers2

Linked

Related