Geek Answers Handbook

Does the Google App-Engine block incoming traffic by country?

I am studying system development through the Google App Engine for PHP. I am developing very well now, but I realized that I donโ€™t know how to deny incoming traffic from countries known to their vile inhabitants.

On other sites, I just block subnets through .htaccess. However, I'm starting to think that this is not possible outside of using your own PHP request header, which indicates the country code.

See their doc here: https://developers.google.com/appengine/docs/php/

It would be easy to just lock it this way, but I'm not sure if that would be the best way.

Any insight would be appreciated.

+6
source share
2 answers

You can use dos.yaml file for dos.yaml subnets. You create a dos.yaml file in the root directory of your application and then block IP addresses or entire subnets, as indicated here . Please note that this file is limited to 100 entries.

Once you have a list of country subnets that you want to block (which you could get from a list such as this or this ), you can fill in dos.yaml manually. Alternatively, you can use a script like that to populate the file.

+4
source

In addition to the DOS protection mentioned in @ rudolph1024's answer, you can now enable a fully functional firewall (beta recently released) to protect your GAE application.

From the App Engine firewall :

The App Engine firewall allows you to control access to your Engine application by using a set of rules that can allow or deny requests from specified IP ranges.

Create a firewall for:

  • Allow only traffic from a specific network

    Make sure that only a certain range of IP addresses from certain networks can access your application. For example, create rules that allow a range of IP addresses from your private network in your company during the testing phase of your application. You can then create and modify your firewall rules to control the amount of access throughout the release process, allowing only certain organizations, companies or from the outside to access your application because it is publicly available.

  • Allow traffic from a specific service only

    Make sure that all traffic for your App Engine application is first proxied through a specific service. For example, if you use a third-party web application firewall (WAF) for proxy requests sent to your application, you can create firewall rules to reject all requests except those redirected from your WAF.

  • Block Invalid IP Addresses

    While the Google Cloud Platform has many mechanisms to prevent various attacks, you can use the App Engine firewall as another mechanism to block your applicationโ€™s traffic from IP addresses, which are malicious intentions.

    You should use the App Engine firewall as a primary setting to protect your application from denial of service attacks or similar abuse. You can blacklist IP addresses or subnets so that requests redirected from these addresses and subnets are rejected before they reach the App Engine application.

For more information about creating rules and configuring a firewall, see Managing Application Access Using Firewalls .

The firewall is intended to replace DOS protection. From Denial of Service (DoS) :

Tip. Instead, you should use the App Engine firewall for strong protection, as well as advanced features, access, and management through the Cloud Platform Console, gcloud . admin tool and API.

You need to collect the IP ranges for the country in your particular case in order to configure the firewall.

+1
source

More articles:


All Articles