Securing Firebase Hosting web site with a GCP VPN - firebase

I am working on a platform (www.dashboard.example.com) that has an admin site (www.admin.example.com). Each site is hosted on a different Google Firebase Hosting Project.
I want only certain people to be able to access the admin site. After some consideration, I found an IPSec VPN to be the best solution for me.
I also found that GCP offers a VPN service, but from what I can tell, it seems to only work with google compute engines.
Is there a way to attach a Google VPN to a Firebase Hosted site?

There is no way to attach a Cloud VPN to a Firebase Hosting Project.
In GCP the correct way to restrict the access to your web server/application is by using firewall rules/App Engine's firewall and Cloud VPC/VPN service.
Your approach should be to put a proxy by configuring a Google Compute Engine1 in between your gateway service and your Firebase Hosting Project.
Another approach would be to use Cloud Storage2, as a static website3. You can then create an HTTPS Load Balancer based on Backend Bucket4. With this you can benefit from the advantages of using Load Balancer and also using Cloud VPN.
If you are interested in authentication with Firebase and App Engine I suggest to check the following link 2.

Related

How to secure REST API endpoints served via GCP Cloud Run?

I have a simple web site hosted in Firebase and it is making AJAX calls to REST API endpoints in GCP Cloud Run.
I would like to limit these endpoints only to the calls coming from this site hosted in Firebase. Any call coming from any other origin should not be able to use the endpoints. What is the best way to do this?
When I was not using GCP Cloud Run, I was doing a host check on the API side to make sure that request is coming from my client but now with Cloud Run this is not possible. What else could be done?
Please note that the web-site hosted in Firebase is very simple and do not do any user authentication.
Challenge: Restrict access to a Cloud Run service to a single web application, without relying on:
Restricting access to the web application
Imposing authentication on users
This difficulty is not specific to Cloud Run. It's a general challenge for static sites backed by APIs, and a reason why many sites have authentication. As mentioned in the question comments, a server-side "host" check is not a meaningful security layer, as everything in the HTTP request can be faked. I strongly recommend you not worry about keeping your API private or add user authentication to keep the system simple and access accountable.
If that's not possible, you can still take the authentication approach by creating a single user, embedding the credentials in the site, and rotating them regularly (by redeploy to Firebase Hosting) to prevent credential theft from having indefinite access to your API. Having Firebase Auth in the middle is better than a simple API key because it prevents replay attacks from accessing your API.

Firebase Hosting doesn't has firewall?

Having one of application hosted on Firebase with some additional services there (Cloud Firestore, Cloud Storage for Firebase, Cloud Functions for Firebase) decided to make some security scanning. One of the tools https://sitecheck.sucuri.net/ shows me that there's no firewall for it, is it possible? It has reverse proxy & Fastly's CDN, but would be a firewall missing for apps hosted on Firebase Hosting?
Firebase hosting resources access is unfortunately not restricted by any means, check out the question below?
Can Firebase restrict access to resources?
However, There are things you can do in the regard of security:
Use Cloud functions to render dynamic resources and microservices
https://firebase.google.com/docs/hosting/functions
Use Firestore rules to secure the data access
Use Firebase authentication to make sure that only authenticated users can do certain actions
Even though, we all hope for that firewall option to be added.
Best Regards
Firebase Hosting does not have a firewall feature. If you publish content to it, that will be accessible from anywhere there is an internet connection.

Does Firebase Hosting provides support for DNSSEC?

Is there any support for DNSSEC for apps hosted on Firebase? According to these 2 reports not:
https://viewdns.info/dnssec/?domain=firebaseapp.com
https://viewdns.info/dnssec/?domain=web.app
DNSSEC is a feature of DNS. Firebase Hosting doesn't provide DNS functionality. You need to check with the DNS provider of the domain you are going to use. web.app and firebaseapp.com may not be setup with DNSSEC but you shouldn't use them for a production app anyways.

App Engine and Firebase Hosting in One Domain

I have a custom domain (travelbox.id) that connected to Firebase Hosting already. I also have an App Engine application to serve as my API. I want to host the App Engine application on api-dev.travelbox.id. I mapped the custom domain to App Engine following this docs but domain connection to Firebase Hosting stop working. If you access api-dev.travelbox.id it is connected to App Engine. But if you access travelbox.id it doesn't connected to Firebase Hosting.
Is that impossible to achieve what I want?
I had the same issue and contacted Google Cloud support, here's their answer:
App Engine doesn't need to have the A records on the root domain if
you are only serving from a subdomain. App Engine should work
properly for you with just the one CNAME on subdomain.example.com.
I found the solution myself, here you go!
On the fourth step in this docs, i didn't add A records, just add AAAA records. Suprisingly, it works! :D

Secure a firebase hosting link to only be accessible from a specific ip

I am using angular 4 angularfire 2 and firebase in an web app. I am conditionate to use firebase as a backend service and because the app has to only be used inside the office i am wondering if there is any way i can configure some firebase rules or anything to make the app not work or be shown from another ip than the office ip. Please leave any kind of way i can do it. Thanks in advance!
There is currently no way to restrict access to a site deployed to Firebase Hosting. It will always be accessible from anywhere in the world that is not blocked by some other firewall.

Resources