We Keep Coding

What is the default caching behaviour for Firebase Hosting with Cloud Run?

I have an HTTP service running in Cloud Run that I have mapped to Firebase Hosting using a wildcard to send all routes to the service.
// firebase.json
{
"hosting": [
{
"site": "mysite",
"rewrites": [
{
"source": "/**",
"run": {
"serviceId": "myservice",
"region": "europe-west2"
}
}
]
}
]
}
Update: I've also tried "source": "**" and config with or without the default static hosting using "public": "public" and the result is the same. The CDN appears to cache all content from Cloud Run by default.
The documentation for Firebase Hosting says: (bold my emphasis)
Any requested static content is automatically cached on the CDN. If you redeploy your site's content, Firebase Hosting automatically clears all your cached static content across the CDN until the next request.
However, because Cloud Functions and Cloud Run services generate content dynamically, the content for a given URL can vary based on such things as user input or the user's identity. To account for this, requests that are handled by backend code do not cache on the CDN by default.
However, within the browser developer Network tab I see cache hits (screenshot below):
Note the server: Google Frontend with x-cache: Hit indicating that the CDN served the content. I can confirm there are no Cloud Run logs for subsequent HTTP GET requests.
I've seen other articles online (one on medium) that says the opposite, that by default caching is enabled.
Is the Google documentation currently up to date? If so, what have I missed? I should mention that my HTTP service uses __session cookies for some routes. The example above was before any signin took place, so no cookies were sent from the browser.
I've also tested this using curl and I also get the same result:
> GET / HTTP/2
> Host: myhost
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/html; charset=utf-8
< server: Google Frontend
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 13:17:19 GMT
< x-served-by: cache-lhr7335-LHR
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1633353439.260200,VS0,VE1
< vary: x-fh-requested-host, accept-encoding
< content-length: 11949
<
Hello world example
package main
import (
"fmt"
"log"
"net/http"
"os"
"time"
)
func main() {
log.Print("starting server...")
http.HandleFunc("/", handler)
port := os.Getenv("PORT")
if port == "" {
port = "8080"
log.Printf("defaulting to port %s", port)
}
// Start HTTP server.
log.Printf("listening on port %s", port)
if err := http.ListenAndServe(":"+port, nil); err != nil {
log.Fatal(err)
}
}
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "The time now is %s\n", time.Now())
}
FROM golang:1.17.1-alpine as builder
LABEL stage=builder
WORKDIR /app
COPY . .
RUN go build .
FROM alpine:latest
RUN apk --no-cache add tzdata
RUN mkdir -p /app/bin
WORKDIR /app
COPY --from=builder /app/helloworld ./bin
CMD ["/app/bin/helloworld"]
firebase.json
{
"hosting": {
"public": "public",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [{
"source": "**",
"run": {
"serviceId": "helloworld"
}
}]
}
}
Curl output
CALLING CLOUD RUN DIRECTLY
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://helloworld-q2ftkxvbva-uc.a.run.app/
* Trying 216.239.36.53:443...
* TCP_NODELAY set
* Connected to helloworld-q2ftkxvbva-uc.a.run.app (216.239.36.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.a.run.app
* start date: Sep 13 01:08:45 2021 GMT
* expire date: Nov 20 01:08:44 2021 GMT
* subjectAltName: host "helloworld-q2ftkxvbva-uc.a.run.app" matched cert's "*.a.run.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55718a90ae10)
> GET / HTTP/2
> Host: helloworld-q2ftkxvbva-uc.a.run.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< x-cloud-trace-context: 4844f53bed45b95ba5c11f3873217904;o=1
< date: Mon, 04 Oct 2021 15:31:40 GMT
< server: Google Frontend
< content-length: 74
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
The time now is 2021-10-04 15:31:40.017735277 +0000 UTC m=+1034.166310273
* Connection #0 to host helloworld-q2ftkxvbva-uc.a.run.app left intact
CALLING CLOUD RUN VIA FIREBASE HOSTING (1st time Cache MISS)
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://test-to-be-removed-c02e2.web.app/helloworld
* Trying 199.36.158.100:443...
* TCP_NODELAY set
* Connected to test-to-be-removed-c02e2.web.app (199.36.158.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=web.app
* start date: Sep 20 20:09:34 2021 GMT
* expire date: Dec 19 20:09:33 2021 GMT
* subjectAltName: host "test-to-be-removed-c02e2.web.app" matched cert's "*.web.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ca2e032e10)
> GET /helloworld HTTP/2
> Host: test-to-be-removed-c02e2.web.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< server: Google Frontend
< x-cloud-trace-context: b62eb4e97a7e8dbd22b1958616455f27;o=1
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 15:32:12 GMT
< x-served-by: cache-lhr7331-LHR
< x-cache: MISS
< x-cache-hits: 0
< x-timer: S1633361532.898050,VS0,VE234
< vary: x-fh-requested-host, accept-encoding
< content-length: 73
<
The time now is 2021-10-04 15:32:12.06951937 +0000 UTC m=+1066.218094364
* Connection #0 to host test-to-be-removed-c02e2.web.app left intact
CALLING CLOUD RUN VIA FIREBASE HOSTING (2nd time unexpected Cache HIT)
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://test-to-be-removed-c02e2.web.app/helloworld
* Trying 199.36.158.100:443...
* TCP_NODELAY set
* Connected to test-to-be-removed-c02e2.web.app (199.36.158.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=web.app
* start date: Sep 20 20:09:34 2021 GMT
* expire date: Dec 19 20:09:33 2021 GMT
* subjectAltName: host "test-to-be-removed-c02e2.web.app" matched cert's "*.web.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562f5255ae10)
> GET /helloworld HTTP/2
> Host: test-to-be-removed-c02e2.web.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< server: Google Frontend
< x-cloud-trace-context: b62eb4e97a7e8dbd22b1958616455f27;o=1
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 15:32:14 GMT
< x-served-by: cache-lhr7371-LHR
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1633361534.332609,VS0,VE1
< vary: x-fh-requested-host, accept-encoding
< content-length: 73
<
The time now is 2021-10-04 15:32:12.06951937 +0000 UTC m=+1066.218094364
* Connection #0 to host test-to-be-removed-c02e2.web.app left intact

OpenSSL SSL_read: Connection was aborted, errno 10053 (implementing mTLS using istio)

I am trying to implement mTLS between two services. I am using hashicorp vault to manage certs (CA, clients and servers). After deploying the server using istio gateway with secret generated from respective certs. I am trying to access that server using curl. But I am getting the error:
#pemFiles is chain of root and intermediate CA
curl -vvv -HHost:<some-host> --resolve "<some-host>:443:<istio-gateway-ip>" --cacert pemFiles --cert client.crt --key client.key "https://<istio-gateway-ip>:443/" -Lk
* Added <some-host>:443:<istio-gateway-ip> to DNS cache
* Hostname <some-host> was found in DNS cache
* Trying <istio-gateway>:443...
* Connected to <some-host> (<istio-gateway-ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: pemFiles
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=5402476c-df7d-44bc-9c1b-b0a6afb931d7
* start date: Sep 23 21:28:29 2021 GMT
* expire date: Oct 25 21:28:58 2021 GMT
* issuer: CN=<our-domain>
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x293ec1a2fb0)
> GET / HTTP/2
> Host:<some-host>
> user-agent: curl/7.75.0
> accept: */*
>
* OpenSSL SSL_read: Connection was aborted, errno 10053
* Failed receiving HTTP2 data
* OpenSSL SSL_write: Connection was aborted, errno 10053
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: Connection was aborted, errno 10053
When I use the same steps with certs generated manually using OpenSSL, I am not getting any such issue.
When I pass the "--http2" with curl command:
TLSv1.3 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0

A workaround found by OP, in the comments.
The issue was with OP's cert-manager. As a workaround use root CA cert instead of intermediate CA.

API GET method : Unsupported Protocol

I have an rest api that was working well few days ago. However , it stopped working. When I checked the access_token , it is not expired. Has anybody encountered such problem?
But the get method gives following error when I checked in rest client app :
Trying 99.86.230.110...
Name '0.0.0.0' family 2 resolved to '0.0.0.0' family 2
Local port: 0
Connected to api-v2.myapi.it.com (99.86.230.110) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS header, Unknown (21):
TLSv1.2 (IN), TLS alert, Server hello (2):
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Closing connection 0

This is a TLS problem and has nothing to do with access tokens. The problem is on the server side, i.e. the server aborts the TLS handshake with a TLS alert "handshake failure". Since this is happening immediately after the client initiated the TLS handshake and before any server certificate is send it might be a misconfigured server which cannot find its certificate. Check with the API provider of why there systems suddenly have problems.

SSL sites inaccessible from Apple terminal and cryptic curl error

I have a machine serving sites under docker, reverse proxied through nginx with TLS. Everything went smooth til around April the 15th. Two sites became inaccessible from iPhone (whatever the browser used), Safari on MacBooks... curl, and old Android (Samsung S2) and old Firefox (v25)! :o Everything goes fine from Firefox on Windows, GNU/Linux.
One site is a Mattermost instance; the app is working correctly from Android but not from an iPhone.
Safari complains it "can't load the page, the conection has been lost".
curl -v mysite reports :
Rebuilt URL to: https://teamtime.me/
Hostname was NOT found in DNS cache
Trying 212.129.18.187...
Connected to teamtime.me (212.129.18.187) port 443 (#0)
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1)
SSLv3, TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Server certificate:
subject: CN=teamtime.me
start date: 2017-04-02 21:41:00 GMT
expire date: 2017-07-01 21:41:00 GMT
subjectAltName: teamtime.me matched
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
SSL certificate verify ok.
GET / HTTP/1.1
User-Agent: curl/7.38.0
Host: teamtime.me
Accept: /
SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
I sniffed the connection to the site with firefox and curl and noted the following differences:
With firefox, after the client key exchange, a new session ticket is created by the server and an application data packet of 320 in size is sent back to the server,
while with curl, after the client key exchange, the server sends a change cipher spec, the client answers with a packet application data of 170 in size which ends the conection (ACK then RST-ACK from the server).
I'm stuck here. I don't know where to look. I don't have any apple terminal to test with, but I guess the problem with curl has the same root as it occurred in the same time frame.
Any hint would be very appreciated. Thanks in advance.
differences in sniffing firefox and curl

The server is (was) also serving a #mastodon instance. And it happened that shutting down the mastodon instance solved the problem: curl and apple terminals can reach the other services again.
The problem surely lies in the nginx reverse proxy configuration, but don't know yet what...
I'd also be interested in understanding how a mistaken config of nginx affects only some terminals/browsers...

PayPal REST API: Requesting oauth token returns 500

Two days ago, something broke with our paypal integration. Unfortunately, trying to contact paypal support has proven to be of no help (no reply in 2 days), so I'll try my luck, here.
Requesting the token (curl https://api.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "****:****" -d "grant_type=client_credentials") started ALWAYS returning an empty response and well, a 500 error.
Note that the same works just fine with api.sandbox.paypal.com and sandbox credentials.
I double checked our credentials and they are fine. Note as well, that it doesn't matter what credentials I use, it always returns the same - 500.
Here's the output of curl ... -v; looks like you have an internal server error, as the 500 shows:
* About to connect() to api.paypal.com port 443 (#0)
* Trying 173.0.88.98...
* connected
* Connected to api.paypal.com (173.0.88.98) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api.paypal.com
* start date: 201
* expire date: 201
* subjectAltName: api.paypal.com matched
* issuer: C=U
* SSL certificate verify ok.
* Server auth using Basic with user '****'
> POST /v1/oauth2/token HTTP/1.1
> Authorization: Basic ****
> User-Agent: curl/7.27.0
> Host: api.paypal.com
> Accept: application/json
> Accept-Language: en_US
> Content-Length: 29
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 29 out of 29 bytes
* additional stuff not fine /usr/src/ports/curl/curl-7.27.0-1/src/curl-7.27.0/lib/transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 500 Internal Server Error
< Server: Apache-Coyote/1.1
< Date: Thu, 28 Mar 2013 15:59:53 GMT
< Content-Length: 0
< Connection: close
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Thanks!

This is something that is currently being looked into. If you have not already opened a ticket with PayPal MTS I would advise opening up a ticket with Technical Support, so that your issue can be added to the examples. You will also then be notified once the issue has been resolved.
edit: This is now resolved as of 04:12 AM GMT (31/03/2013).