I'm posting my workaround that I've implemented for anyone that may be interested in the future. I'd also appreciate feedback.
1) Client hits https://mydomain.com/blah which goes through EC2 proxy https://appid.appspot.com/blah 2) The client is redirected to the google login page, with continue set as /aa?continue=/blah 3) Client logs into Google Accounts and is then redirected to https://appid.appspot.com/aa?continue=/blah 4) Client hits https://appid.appspot.com/aa which serves a redirect to https://mydomain.com/sc?c=ACSID&continue=/blah where ACSID is the Google account session cookie read by the handler for /aa. 5) Client hits https://mydomain.com/sc?c=ACSID&continue=/blah which sets the ACSID session cookie for the domain mydomain.com and redirects to https://mydomain.com/blah based on a continue parameter in aa passed to sc Following is my web.xml / is publicly accessible /aa is publicly accessible /sc is publicly accessible /* is restricted to logged in users Following is the restriction in the handlers (with some tricky url escaping): / --> if not logged in, redirect to login page continue=/aa /aa --> if not logged in, redirect to login page continue=/aa /sc --> if not logged in, redirect to login page continue=/aa /* --> if not logged in, redirect to login page continue=/aa?continue=* After this, the user service seems to work normally even when going through a proxy serving with SSL. The ACSID cookie is now on mydomain.com and sent through the proxy to appengine. The appspot domain will still show up to tech savvy users, but this is not my main concern. My goal is to serve over https and keep my customdomain in the url bar and be more secure with user data as serving over no SSL using my custom domain. Since the entire transaction is over https, I don't think this exposes the session cookie any more than using mydomain.com without SSL. Any other cross site attacks would work even without this scheme anyway. I'm still not sure why mydomain.com/_ah/conflogin?state=blah fails and requires this workaround. On Tuesday, March 20, 2012 8:37:40 PM UTC-7, tarun2000 wrote: > > I set up a reverse proxy with nginx on ec2 to provide ssl for my appengine > custom domain. It works until users need to login. The users are > redirected to my appspot url after authenticating if I provide a relative > continue url. I tried setting the continue parameter with the entire url > (the one that hits the proxy) instead of just the relative location, but > this results in a 500 on appengine when appengine redirects to > mycustomdomain?conflogin (which the proxy sends to my appspot url). > > Is there a way to use Google Accounts and User Service with a reverse > proxy or will I need to create my own sign on system? (I know SSL for > custom domains is in testing but I'm looking for an immediate solution > since there is no telling when this will be available). > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/FbsUXa8YKgAJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
