如何通过Google Cloud SQL第二代主机过滤App Engine连接？ （二） [英] How to filter App Engine connections by host with Google Cloud SQL Second Generation? (2nd)

问题描述

Google App Engine似乎通过Cloud SQL Proxy自动将其连接隧道内部连接到Cloud SQL 2nd代。这是在尝试理清如何使用TLS时无意中发现的，但未成功：TLS请求但服务器不支持TLS与Google App Engine中的Google Cloud SQL（第二代）出现错误？

我注意到，这种方法在不允许全局访问云SQL实例的情况下进行不安全的访问。这很好。但是，我们只能过滤接受的主机名来连接 cloudsqlproxy〜％而不是 localhost ，这样就可以虚拟任何cloudsqlproxy主机与正确的证书连接。

这是安全和正确的，比使用％ ...这显然会绕过任何类型的主机过滤？或者，这是否会打开任何cloudsqlproxy与我们的第二代实例的可能连接？

目标是限制SQL实例上特定用户帐户上的连接仅来自我们的App Engine项目。没有其他人应该能够连接到这些证书。

解决方案

好的问题是，使用cloudsqlproxy-％是最严格的过滤您可以立即申请App Engine连接，但不幸的是，这意味着您无法有效地说允许来自App Engine的连接，但不允许来自Cloud SQL Proxy的连接。

很难提出一个解决方案，保持App Engine标准版和App Engine Flexible之间的一致性，因为App Engine Flex VM存在于客户项目中。如果该限制仅适用于App Engine标准版，但不适用于App Engine flex，则可能会有些混淆。

您可以通过限制谁可以使用Cloud SQL通过将项目的编辑（和所有者）限制为使用Cloud SQL Proxy连接的帐户，必须具有编辑者访问权限或更高版本。将来，这将通过IAM支持变得更加精细。

Google App Engine seems to automatically tunnel its connections to Cloud SQL 2nd generation internally through Cloud SQL Proxy. This was discovered inadvertently while trying to sort out how to use TLS, unsuccessfully: "TLS requested but server does not support TLS" error with Google Cloud SQL (2nd generation) from Google App Engine?

I noticed that this works without allowing unsecured access globally to the Cloud SQL instance... which is nice. However, we can only filter the accepted hostname for connections to cloudsqlproxy~% and not to localhost, and this allows virtually any "cloudsqlproxy" host to connect with the right credentials.

Is this safe and correct to do, and better than using %... which would obviously bypass any sort of host filtering? Or, does this open any cloudsqlproxy's possible connection to our 2nd generation instance?

The goal is to restrict connections on a particular user account on the SQL instance to ONLY come from our App Engine project. Nothing else should be able to connect with these credentials.

解决方案

Good question, you are right that using cloudsqlproxy-% is the strictest filtering you can apply for App Engine connections right now and unfortunately that means you cannot effectively say "allow connections from App Engine but not from Cloud SQL Proxy".

It's hard to come up with a solution that maintains the consistency between App Engine Standard and App Engine Flexible since App Engine Flex VMs live in the customer project. It could be somewhat confusing if the restriction only applied to App Engine Standard, but not App Engine flex.

You can somewhat limit the exposure by limiting who can use the Cloud SQL Proxy by limiting the Editors (and owners) of a project as the account connecting using Cloud SQL Proxy must have Editor access or above. In the future, this will become more fine grained with IAM support.

这篇关于如何通过Google Cloud SQL第二代主机过滤App Engine连接？ （二）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！