SSL ConfigurationUnlike the automatically generated SSL certificates supported by App Engine CDN / Load Balancing requires you to provide your own SSL certificate. If you are using a provider like NameCheap then the first step is to create a key and certificate signing request. Using the Certificate Signing Request you can request a certificate from your SSL provider of choice. After the usual verification of email address you will typically end up with a certificate file. This can then be used by the create certificate resource tool.
1. Create your certificate
openssl genrsa -out my-private-key.key 2048
2. Create your certificate signing request
openssl req -new -key my-priavate-key.key -out certificate-signing-request.csrOnce you have your certificate signing request you will paste it into your SSL provider's site to start the signing process. Once your respective domain validation is done you will be sent your certificate. Save it into my-certificate.cert to continue below.
3. Upload your certificate
gcloud compute ssl-certificates create certificate-name --certificate my-certificate.cert --private-key my-private-key.key
Create your CDN resourceOnce you have your SSL certificate imported using the gcloud tool you can go through the setup to create your CDN resource. There are a few configuration options to take into consideration
- When you create a new origin you will need to create a new load balancer for it.
- Backend Confguration: create a new storage bucket. Make sure it is CDN enabled.
- Host path rules: You should configure your custom host and path rules to your host like cdn.yourdomain.com and path /* to match all content.
- Frontend configuration: You will pick the HTTPS protocol, network service tier premium, create a static IP, select the certificate you uploaded above.
Enabling cache controlThe cache control best practices suggests to update the cache control for your assets.
Whether you are using the user interface or the API to upload your content you may find that you end up with a large number of files where you need to update the cache control. Doing this via the user interface can become tiresome for more than a couple of files.
If you are looking for a quick hack script that will update the cache control settings for every file in your bucket (* not intended for very large buckets) this script could be for you:
Note that I am setting the cache maximum age to 7 days in seconds. This will significantly improve cache performance of static content and can make use of edge caching.#!/usr/bin/bash BUCKET=<your bucket e.g. gs://some-bucket-name> files=$(gsutil ls -r $BUCKET); for i in $files; do if [[ "$i" == *: ]] || [[ "$i" == */ ]]; then echo "Skipping directory $i"; else echo "Updating cache control for $i"; gsutil setmeta -h "cache-control:public, max-age=604800" $i; fi; done;
Set up your ANAME recordFor custom domain names you want to serve your content from which you configured above in the CDN resource setup you will now need to create ANAME records with your DNS provider. This step is really dependent upon your provider. Once your DNS has propagated you can now start to reconfigure your site to use the freshly created SSL resources.
If you aren't planning to use the default AppEngine SSL issuer then you should follow the custom SSL for App Engine guide. Note that you have to concatenate your certificate as:
cat my-private-key.cert ca-bundle.cert >> combined.cert