ssl 在GCP CloudRun上使用Cloudflare管理的域创建域Map

gjmwrych  于 2023-11-18  发布在  其他
关注(0)|答案(2)|浏览(129)

我想知道是否有人有在GCP的Cloud Run中创建Map域的经验,该Map域由Cloudflare管理。
当我这样做的时候,我最终得到了一个525(SSL握手失败)。由于对GCP方面发生的事情的可见性有限,我无法真正调试问题所在。
任何提示或指针将不胜感激

mwg9r5ms

mwg9r5ms1#

在这里找到了我的答案,现在我们的Cloudflare目前不受CloudRun支持:https://github.com/ahmetb/cloud-run-faq#how-can-i-configure-cdn-for-cloud-run-services

dced5bon

dced5bon2#

我通过禁用Cloudflare安全,HTTPS重写和ACME挑战as described in their community forum的浏览器完整性检查来使其工作。后者是因为否则Google会被Cloudflare阻止(这可以在您的安全事件中验证)。
如果有帮助,这是我使用的Terraform设置:

## Variables

variable "domain_suffix" {
  type        = string
  description = "The domain suffix used by all subdomains."
  default     = "example.com"
}

variable "domain_prefix" {
  type        = string
  description = "The subdomain prefix."
  default     = "sub"
}

variable "cloud_run_location" {
  type        = string
  description = "The location of the Cloud Run services."
  default     = "us-central1"
}

locals {
  full_domain = "${domain_prefix}.${domain_suffix}"
}

## Cloudflare resources

resource "cloudflare_record" "subdomain" {
  zone_id = var.cloudflare_zone_id
  name    = var.domain_prefix
  value   = "ghs.googlehosted.com"
  type    = "CNAME"
  proxied = true
}

# Disable security and browser integrity checks for the ACME challenge as GCP needs it for custom domain mapping
resource "cloudflare_page_rule" "acme_challenge_bypass" {
  zone_id = var.cloudflare_zone_id
  target  = "${local.full_domain}/.well-known/acme-challenge/*"
  actions {
    automatic_https_rewrites = "off"
    browser_check            = "off"
    cache_level              = "bypass"
    security_level           = "essentially_off"
  }
}

## Cloud Run resources

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = var.cloud_run_location
  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

resource "google_cloud_run_domain_mapping" "default" {
  location = var.cloud_run_location
  name     = local.full_domain
  metadata {
    namespace = var.project
  }
  spec {
    route_name = google_cloud_run_v2_service.default.name
  }
}

字符串
有了这个设置,我所有的域得到验证,并在20分钟内工作.

相关问题