Hi! Indeed, I created 3 issues: https://issuetracker.google.com/19153287 <https://issuetracker.google.com/191532873>2 https://issuetracker.google.com/191532873 https://issuetracker.google.com/19153287 <https://issuetracker.google.com/191532873>4 issue-72 corresponds to my question 1 (and now cannot be seen, access is denied... I dont know why) issue-73 is assigned, and issue-74 is related to 73 so they were merged
First I thought what I wanted must be possible but I guess it is not. Then I found the issue tracker and formulated these feature requests. If anybody has a comment, please continue there to avoid duplicates. Thanks for your reply! Roberto Carbajales (Google Cloud Platform Support) schrieb am Dienstag, 22. Juni 2021 um 16:16:08 UTC+2: > Hello, > > After searching for a while I noticed that you already create some public > issue tracer with feature request that are the same of the question that > you have in this group, here [1] in this public issue tracker the > engineering team is already aware of your request, we just need to wait for > them and we could continue the discussion there. > > Hopes this solve your answer. > Best regards. > > ------- > [1] https://issuetracker.google.com/191532873 > > On Sunday, June 20, 2021 at 12:29:23 PM UTC+2 [email protected] wrote: > >> Hi! >> I will use these abbreviations: >> GFE: Google Frontend >> APP: my app engine app (java11 with jetty embedded web server) >> >> I try to make GFE *drop an http request*. I need this when I *rate limit* >> in my APP against bad actors (even if they are happen to be good, I choose >> service denial over *wallet drain*). Also, when my APP receives some >> request from *a clearly bad actor* I just want to ignore this request (I >> do not care about servlet specifications and such, I do not want to pay a >> horrible bill). >> >> I tried plenty of things, making Jetty return different HTTP status codes >> or make Jetty drop the request. *GFE still replies to all*. The minimum >> reply is around *100 bytes* since GFE adds *5 response headers*... but I >> just encountered this reply from GFE when Jetty terminates the connection >> (700 bytes(!!!) and I pay for an unwanted reply, unwanted response headers, >> unwanted error message and 5 repeated comments(!!!!!) it is outrageouos!): >> <html> >> <head><title>502 Bad Gateway</title></head> >> <body bgcolor="white"> >> <center><h1>502 Bad Gateway</h1></center> >> <hr><center>nginx</center> >> </body> >> </html> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> <!-- a padding to disable MSIE and Chrome friendly error page --> >> >> >> So my questions are: >> 1. *how can I drop/ignore requests to my(!) app* that I think come from >> bad actors and just drain my wallet. If there is no way, I really want to >> have *a feature* to tell GFE to *just abort the connection* (*or an >> explanation* why this is not possible). >> >> 2. how can I *minimize the size of the reply?* I.e. make GFE *not add >> any response headers* or at most the Date header. If If there is no way, >> I really want to have a feature to tell GFE since the http spec does not >> call any response headers a MUST (practically the Date header is but if bad >> actors can misuse the http protocol I want to be able to defend myself and >> minimize my costs). >> >> My problems are *rather of financial nature*. I trust GFE to mitigate >> big DDoS attacks. But I see how GFE just lets plenty of request from >> curl(!) to bomb my APP and drain my resources/wallet. I really need methods >> to skip requests OR id GFE does not want it I SHOULD NOT pay for those I >> think come from bad actors. >> >> Thanks! >> ps: in the documentation of App Engine they say defending against Layer 7 >> attacks (http flood, wallet drain) is common(!) responsibility. I do my job >> and I find it OK that GFE lets plenty of requests reach my app, even if >> they are clearly not from a browser or so (testing). However, if GFE always >> sends a reply, where I pay a small amount through outgoing bandwidth, I >> cannot defend myself unless I can tell GFE to drop or minimize reply (size). >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/13bfbc31-17dd-4dce-a6c6-252c3c8592b6n%40googlegroups.com.
