Aral Balkan

I'm seeing a lot of misinformation out there that Google App Engine has SSL support. It doesn't.

If you read Google's announcement from last month carefully, you will see that it is titled "Announcing HTTPS support for appspot.com", not "for Google App Engine" .

"What's the difference?", you may be wondering. It's quite big.

What google supports is SSL for subdomains for appspot.com. So, if you're happy with hosting your application only from your appspot.com subdomain, then you can use SSL in your application. For example, I have several simple open source apps that I host on Google App Engine, like opencountrycodes and isvat. Since I'm not worried about having custom domains for these, I host them on appspot.com subdomains (e.g., opencountrycodes.appspot.com). If I wanted to use HTTPS on these apps, I could and you could hit, for example, https://opencountrycodes.appspot.com to get to the secure version of the site.

The issue arises when you want to use your own domain for your App Engine application. The <head> conference web site, for example, resides at http://www.headconference.com. It also has a subdomain on appspot.com but I don't publicize that. Currently, there is no way I can use SSL on the Head Conference web site as Google App Engine only supports SSL for appspot.com subdomains (so, if the headconference subdomain on appspot.com was headconference.appspot.com, I could use SSL on that subdomain).

"So", I can hear you ask, "why don't you just use headconference.com for everything and headconference.appspot.com for the SSL connections?"

The answer: sessions and usability.

Take this example:

I want to use PayPal to process a payment. My user hits www.headconference.com, signs in, and starts the checkout process. I forward the user to PayPal and pass the secure URL of my notification script to PayPal (e.g., https://headconference.appspot.com/my/notification/handler/). When the user returns from PayPal, they are no longer on the headconference.com site, their session is no longer valid, and they need to sign in again.

In other words, this is not a usable solution for custom domains.

The problem is that implementing SSL on Google App Engine is not a trivial solution. One possible methodx that has been suggested several times in the forums is to use the Server Name Indication (SLI) extension to Transport Layer Security (TLS).

So what is the current state of SSL on Google App Engine? It's still not supported, with the exception of applications that are hosted only at appspot.com subdomains. In other words — given that most real-world applications, whether commercial or not, will want to be hosted under their own domains — SSL is still not supported for real-world applications on Google App Engine.

Comments

• Aral, Thanks for this post. I have been hitting my head against the wall trying to implement custom login using gwt/app engine. ~Yoko

  by Yoko on 2009-11-25 00:10:20

• Hi Aral, Have you found any good workarounds for the problem above? Thanks for all your helpful articles about App Engine, by the way! Sam

  by Sam Kuper on 2010-04-11 02:02:39

• Hello Aral, Thanks for a informative blog post. Very helpful at the right time. I have a small question for you. I have an application deployed in Google App Engine [GAE]. I have my domain registered as xyz.abc.com which pointe to the *.appspot.com. Is there any way I can use a HTTPS connection to this URL? It would be really helpful if you can let me know of any information or pointers to useful info or any workarounds. Thanks Ranga

  by Ranga on 2010-08-30 14:50:28

• Wanted to let you know we just enabled a service at CloudFlare that makes SSL work on custom domains hosted on AppEngine: http://blog.cloudflare.com/ssl-on-custom-domains-for-appengine-and-other We read your post when we were researching whether this was a feature developers cared about enough to build it. Let us know if you have any suggestions on how we can make it better.

  by Matthew Prince on 2011-07-22 22:39:11