Hi Tarun, I am hitting the same problem today. Did you find any solution?
"I'm still not sure why mydomain.com/_ah/conflogin?state=blah fails and requires this workaround." Thanks PK On Wednesday, March 21, 2012 at 3:49:32 PM UTC-7, tarun2000 wrote: > > I'm posting my workaround that I've implemented for anyone that may be > interested in the future. I'd also appreciate feedback. > > 1) Client hits https://mydomain.com/blah which goes through EC2 proxy > https://appid.appspot.com/blah > 2) The client is redirected to the google login page, with continue set as > /aa?continue=/blah > 3) Client logs into Google Accounts and is then redirected to > https://appid.appspot.com/aa?continue=/blah > 4) Client hits https://appid.appspot.com/aa which serves a redirect to > https://mydomain.com/sc?c=ACSID&continue=/blah where ACSID is the Google > account session cookie read by the handler for /aa. > 5) Client hits https://mydomain.com/sc?c=ACSID&continue=/blah which sets > the ACSID session cookie for the domain mydomain.com and redirects to > https://mydomain.com/blah based on a continue parameter in aa passed to sc > > Following is my web.xml > / is publicly accessible > /aa is publicly accessible > /sc is publicly accessible > /* is restricted to logged in users > > Following is the restriction in the handlers (with some tricky url > escaping): > / --> if not logged in, redirect to login page continue=/aa > /aa --> if not logged in, redirect to login page continue=/aa > /sc --> if not logged in, redirect to login page continue=/aa > /* --> if not logged in, redirect to login page continue=/aa?continue=* > > After this, the user service seems to work normally even when going > through a proxy serving with SSL. The ACSID cookie is now on mydomain.com > and sent through the proxy to appengine. > > The appspot domain will still show up to tech savvy users, but this is not > my main concern. My goal is to serve over https and keep my customdomain in > the url bar and be more secure with user data as serving over no SSL using > my custom domain. Since the entire transaction is over https, I don't > think this exposes the session cookie any more than using mydomain.com > without SSL. Any other cross site attacks would work even without this > scheme anyway. > > I'm still not sure why mydomain.com/_ah/conflogin?state=blah fails and > requires this workaround. > > On Tuesday, March 20, 2012 8:37:40 PM UTC-7, tarun2000 wrote: >> >> I set up a reverse proxy with nginx on ec2 to provide ssl for my >> appengine custom domain. It works until users need to login. The users >> are redirected to my appspot url after authenticating if I provide a >> relative continue url. I tried setting the continue parameter with the >> entire url (the one that hits the proxy) instead of just the relative >> location, but this results in a 500 on appengine when appengine redirects >> to mycustomdomain?conflogin (which the proxy sends to my appspot url). >> >> Is there a way to use Google Accounts and User Service with a reverse >> proxy or will I need to create my own sign on system? (I know SSL for >> custom domains is in testing but I'm looking for an immediate solution >> since there is no telling when this will be available). >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8e2fc938-8b70-42e1-8fdc-c88c9f766c9d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
