Set up TLS proxy for Google Cloud Endpoint APIs

Asked 11/5, 2015 at 18:8 Answered 13/5, 2015 at 2:25

android google-app-engine firefox opera google-cloud-endpoints

I have been viewing my Google App Engine endpoint APIs in the API explorer (localhost) without issues, now am getting this:

enter image description here

in full it says:

You are exploring an API that is described or served via HTTP instead of HTTPS. This is insecure and may be blocked by your browser. To fix this, set up a TLS proxy for your API. Alternatively, you can tell your browser to allow active content via HTTP at this site (on Chrome, click the shield in the URL bar), but this will not improve security or dismiss this message.

This is one of the API methods I have in my endpoint:

@ApiMethod(
        name = "insert",
        path = "movie",
        httpMethod = ApiMethod.HttpMethod.POST)
public Movie insert(Movie movie) throws UnauthorizedException {
    ...
}

Since I do not know what's causing this all of a sudden, I do not know what else to show.I've tried updating my browsers (Firefox, Opera, Chrome) with no luck.

Verdaverdant answered 11/5, 2015 at 18:8 Comment(1)

I'm seeing this too all of a sudden. Would be great if the devserver allowed for an SSL cert. I'm happing creating my own self-signed cert and adding it to my trusted certs. Might make sense to look into this! :( – Uncanny 14/5, 2015 at 16:12

The same problem appeared to me today

For now if you are using chrome you can click on the shield icon on the right of the URL bar and click on something saying load scripts anyway and your API should appear.

Image: http://i.gyazo.com/f16a557c4b53c147f31067029d15c093.png

Skylar answered 11/5, 2015 at 20:56 Comment(3)

Thanks @JonathanK. While your answer gives me access to my api, it doesn't solve the problem of the error warning.A plus one is in order though. – Verdaverdant 11/5, 2015 at 22:15

Thanks @JonathanK. While your answer gives me access to my api, it doesn't solve the problem of the error warning.A plus one is in order though. – Cacie 6/9, 2015 at 5:44

Apparently there's no other solution so lets go with this for right now. – Cacie 6/9, 2015 at 5:45

You will likely want to use a browser-based workaround, such as the shield icon on Chrome. This was recently added to address a security vulnerability. Unfortunately, we are unable to do better than this. A colleague suggests that stunnel may be viable for setting up a TLS proxy, if you want to go that route.

Arad answered 13/5, 2015 at 2:25 Comment(5)

Are you saying that we will keep seeing this fake security warning on localhost instances? That's really a pain in the *ss.. I expected it to be a temporary issue.. I'm working with cloud endpoints every single day, mostly localhost.. It's really not comfy programming like this.. :-( – Claman 18/5, 2015 at 14:48

Unfortunately, yes. I apologize for the inconvenience, but it is to fix a critical security vulnerability. If we were able to distribute a local version of explorer, then we wouldn't have to do that, but that is a very complicated solution. – Arad 18/5, 2015 at 16:7

sounds fair, but do we have a guarantee that localhost endpoints will keep working in the future? for example, might a next update of Chrome browser not show the 'load unsafe script' anymore? – Claman 18/5, 2015 at 18:33

That's not something we're worried about, but I don't speak for the Chrome team. If that happens, we'll have to figure out another solution for local development. – Arad 18/5, 2015 at 23:58

Hey Daniel, I found this SO thread which helps me a lot. When I start my dev session, I have a shortcut (the mac solution) to start chrome in a mode where it allows all unsafe scripts. Of course this should be used carefully, for me only to test Cloud Endpoints on localhost. Hope it helps some ppl around here! details are here: #14059289 – Claman 20/5, 2015 at 13:49

Recommended topics

Hot tags