安全地允许Google App Engine访问内部公司网络/服务器以获取Google Apps脚本 [英] Securely allow Google App Engine to internal company network/servers for Google Apps Scripts

问题描述

有据可查的是，Google Apps脚本在无法访问公司内部网络/服务器的Google App Engine服务器上运行:

It is well documented that Google Apps Script run on Google App Engine servers that would not have access to a company's internal network/server:

• https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
• https://cloud.google.com/appengine/kb/#static-ip
• https://developers.google.com/apps-script/guides/jdbc#using_jdbcgetconnectionurl

根据文档，如果您希望Google Apps脚本项目可以访问内部网络/服务器，则必须将Google的IP列入白名单.但是我们都知道这不是最安全的选择.实际上，文档甚至是这样说的:

Per the documentation, if you want a Google Apps Script project to have access to an internal network/server then you will have to white-list Google's IPs. But we all know that isn't the safest option. In fact, the documentation even says so:

请注意，使用静态IP地址过滤不是一种安全有效的保护手段.例如，攻击者可能设置了一个恶意App Engine应用程序，该应用程序可能与您的应用程序共享相同的IP地址范围.相反，我们建议您使用 OAuth 和问题是我找不到有关组织应如何最好地完成建议工作的任何文档，参考资料或文章.

The issue is I cannot find any documentation, reference material, or articles on how best an organization should do what it suggests.

所以我的问题是，使用G-Suite Enterprise的组织如何安全地允许Google Apps Script项目访问公司的内部网络?

So my question is, how can an organization using G-Suite Enterprise securely allow Google Apps Script projects to access the company's internal network?

推荐答案

文档非常清楚，由于App脚本是在共享的App Engine实例上运行的，因此无法使用IP进行限制，这也意味着网络功能将非常有限(即没有VPC对等).因此，如突出显示的方框中所示，他们建议仅通过IP限制实施身份验证.

The documentation made it quite clear, that since App Scripts are ran on shared App Engine instances, it is impossible to restrict with IP, and that also implies the networking capability would be very limited (i.e. no VPC peering or alike). Therefore, as in the highlighted block, they suggest implementing authentication over just IP restriction.

除身份验证外，App Script还支持使用SSL加密和认证服务器(示例代码).这样可以防止通过Internet发送连接时被窃听.

Apart from authentication, App Script also supports encrypting and authenticating the server with SSL (sample code). This should protect the connection from being eavesdropped when sent over the Internet.

此外，您可以实施半IP限制"机制，技术上称为端口敲门，其简要说明如下:

Further more, you can implement a "semi IP restriction" mechanism, technically called Port Knocking, which briefly works as follow:

1. 首先创建一个特殊的端点，需要进行身份验证，接受IP地址作为输入.根据要求，您可以打开防火墙以在有限的时间内(例如5分钟)接受该IP与内部网络的连接.
2. 在应用脚本"中，使用"URL提取"请求该终结点，以便暂时允许您的脚本实例访问您的网络.

当然，这并不是完美的，因为一个App Engine实例可以同时运行许多脚本，并且白名单会在设定的时间内打开，但这仍然比持久打开所有Google(App Engine)IP的端口要好得多.

Of course that will not be perfect, since one App Engine instance runs many scripts concurrently and the whitelist is opened for a set time, but still this is considerably better than persistently opening the port to all Google (App Engine) IPs.

这篇关于安全地允许Google App Engine访问内部公司网络/服务器以获取Google Apps脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！