You are right, I found the code to check $_SERVER['HTTP_X_APPENGINE_CRON']
public function before() {
if ($_SERVER['HTTP_X_APPENGINE_CRON'] != 'true') {
a\Error::raiseHttp403();
}
}
It complains with 403 which means it's not from app engine? But I'm sure
it's from app engine flex env and it should set the value as true, right?
On Thursday, May 4, 2017 at 1:27:38 PM UTC-7, Takashi Matsuo (Google) wrote:
>
>
> Hi Yao,
>
> App Engine Flex doesn't support the handler section in app.yaml.
> I think you're getting 403 because you're also restricting your cron
> handlers in your code somewhere. Can you do a quick code review on the cron
> handler, and change it to check the $_SERVER value as I mentioned?
>
> Thanks,
>
> On Thu, May 4, 2017 at 1:18 PM Yao Li <y...@sazze.com <javascript:>>
> wrote:
>
>> Yes, it's for authorized users and worked for standard env, handler part
>> doesn't work for flex and I added routes file.
>>
>> As the log, it should come from App Engine.
>>
>> Do I need remove cron config part in app.yaml or even delete the whole
>> handler setting?
>>
>>
>> 03:20:40.199 GET 403 162 B 0 ms AppEngine-Google; (+
>> http://code.google.com/appengine) /Cron/checkDeliveredBatch2
>> 130.211.1.37 - "GET /Cron/checkDeliveredBatch2" 403 162 "-"
>> "AppEngine-Google; (+http://code.google.com/appengine)"
>> {
>> insertId: "9.......l"
>> jsonPayload: {
>> trace: "$traceId"
>> latencySeconds: "0.000"
>> time: null
>> }
>> httpRequest: {
>> requestMethod: "GET"
>> requestUrl: "/Cron/checkDeliveredBatch2"
>> status: 403
>> responseSize: "162"
>> userAgent: "AppEngine-Google; (+http://code.google.com/appengine)"
>> remoteIp: "1...2...1...37"
>> referer: "-"
>> }
>> resource: {
>> type: "gae_app"
>>
>> labels: {…}
>> }
>> timestamp: "2017-05-04T10:20:40.199761605Z"
>> labels: {
>> compute.googleapis.com/zone: "us-central1-b"
>> appengine.googleapis.com/trace_id: "5.......a"
>> compute.googleapis.com/resource_name: "5......7"
>> compute.googleapis.com/resource_id: "7.......4"
>> }
>> logName: "projects/f-s/logs/appengine.googleapis.com%2Fnginx.request"
>> }
>>
>> On Thursday, May 4, 2017 at 12:35:39 PM UTC-7, Takashi Matsuo (Google)
>> wrote:
>>
>>>
>>> Hi Yao,
>>>
>>> I think your handlers are protected only for authorized users, right?
>>>
>>>
>>> https://cloud.google.com/appengine/docs/flexible/nodejs/scheduling-jobs-with-cron-yaml#securing_urls_for_cron
>>> On App Engine flex, it changed how to secure your cron handlers.
>>> Check $_SERVER['HTTP_X_APPENGINE_CRON'] and if it's true, the requests
>>> are coming from App Engine cron service.
>>>
>> On Thu, May 4, 2017 at 12:13 PM Yao Li <y...@sazze.com> wrote:
>>>
>> cron.yaml
>>>>
>>>> cron:
>>>> - description: check USPS Scanned every 4 hours
>>>> url: /Cron/checkUSPSScanned
>>>> schedule: every 4 hours
>>>> retry_parameters:
>>>> min_backoff_seconds: 5
>>>> max_doublings: 5
>>>>
>>>> - description: check USPS Scanned every 4 hours (batch 2)
>>>> url: /Cron/checkUSPSScannedBatch2
>>>> schedule: every 4 hours
>>>> retry_parameters:
>>>> min_backoff_seconds: 5
>>>> max_doublings: 5
>>>>
>>>> - description: check Delivered every 4 hours
>>>> url: /Cron/checkDelivered
>>>> schedule: every 4 hours
>>>> retry_parameters:
>>>> min_backoff_seconds: 5
>>>> max_doublings: 5
>>>>
>>>> - description: check Delivered every 4 hours (batch 2)
>>>> url: /Cron/checkDeliveredBatch2
>>>> schedule: every 4 hours
>>>> retry_parameters:
>>>> min_backoff_seconds: 5
>>>> max_doublings:
>>>>
>>>>
>>>> app.yaml
>>>>
>>>> runtime: custom
>>>> env: flex
>>>>
>>>>
>>>>
>>>> handlers:
>>>> - url: /v\d+/.*
>>>> script: api/index.php
>>>> secure: always
>>>>
>>>> - url: /.*
>>>> script: index.php
>>>> secure: always
>>>>
>>>> - url: /Cron/.*
>>>> script: index.php
>>>> secure: always
>>>> login: admin
>>>>
>>>> resources:
>>>> cpu: 0.5
>>>> memory_gb: 1.0
>>>> disk_size_gb: 10
>>>>
>>>> env_variables:
>>>> WHITELIST_FUNCTIONS: phpinfo
>>>>
>>>> beta_settings:
>>>> cloud_sql_instances: "f-s:us-central1:flex-prod-usc-sql-2"
>>>>
>>>>
>>>> \classes\cron\Routes.php
>>>>
>>>> namespace classes\cron;
>>>>
>>>> class Routes {
>>>> public static $default = array(
>>>> '~^/Cron/checkUSPSScanned?(\?.*)?$~' =>
>>>> array('\classes\controllers\Cron', 'checkUSPSScanned'),
>>>> '~^/Cron/checkUSPSScannedBatch2?(\?.*)?$~' =>
>>>> array('\classes\controllers\Cron', 'checkUSPSScannedBatch2'),
>>>> '~^/Cron/checkDelivered?(\?.*)?$~' =>
>>>> array('\classes\controllers\Cron', 'checkDelivered'),
>>>> '~^/Cron/checkDeliveredBatch2?(\?.*)?$~' =>
>>>> array('\classes\controllers\Cron', 'checkDeliveredBatch2')
>>>> );
>>>> }
>>>>
>>>> On Thursday, May 4, 2017 at 10:25:21 AM UTC-7, Takashi Matsuo (Google)
>>>> wrote:
>>>>
>>>>>
>>>>> Hi Yao,
>>>>>
>>>>> Cron works for me on my Flex app.
>>>>>
>>>>> Can you show your cron.yaml, and app.yaml?
>>>>>
>>>> On Thu, May 4, 2017 at 8:03 AM Yao Li <y...@sazze.com> wrote:
>>>>>
>>>> btw, I did add cron job routing when initializing app in flex env, the
>>>>>> cron routes are defined in app.yaml (handler part) for standard env.
>>>>>>
>>>>>
>>>>>>
>>>>>> On Thursday, May 4, 2017 at 7:57:49 AM UTC-7, Yao Li wrote:
>>>>>>
>>>>> I add New Relic install script in Dockerfile of app level and it
>>>>>>> works, thanks.
>>>>>>>
>>>>>>> The cron job has 403 issue after I deploy the app in GAE flex env as
>>>>>>> default service, it works well (200) previously with app in GAE
>>>>>>> standard
>>>>>>> env.
>>>>>>>
>>>>>> Do I need do some configuration for flex one?
>>>>>>>
>>>>>>> On Monday, May 1, 2017 at 12:47:45 PM UTC-7, Takashi Matsuo (Google)
>>>>>>> wrote:
>>>>>>>
>>>>>>
>>>>>>>> Hi Yao,
>>>>>>>>
>>>>>>>> FYI, we released a new Runtime image
>>>>>>>> <https://github.com/GoogleCloudPlatform/php-docker/releases/tag/2017-05-01-10-25>
>>>>>>>>
>>>>>>>> which should capture the logs on stderr by default.
>>>>>>>>
>>>>>>>> On Mon, May 1, 2017 at 10:28 AM Yao Li <y...@sazze.com> wrote:
>>>>>>>>
>>>>>>>>> 1. I have to install New Relic agent on instance manually with
>>>>>>>>> script currently after ssh, is there a way (API, script or something
>>>>>>>>> else)
>>>>>>>>> to install the following script automatically?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Use runtime:custom and add required piece in your Dockerfile,
>>>>>>>> except for the `/usr/bin/newrelic-daemon start` line.
>>>>>>>>
>>>>>>>> Then have a file named `additional-supervisord.conf` with the
>>>>>>>> following:
>>>>>>>>
>>>>>>>> ```
>>>>>>>> [program:newrelic-daemon]
>>>>>>>> command = /usr/bin/newrelic-daemon -f
>>>>>>>> stdout_logfile = /dev/stdout
>>>>>>>> stdout_logfile_maxbytes=0
>>>>>>>> stderr_logfile = /dev/stderr
>>>>>>>> stderr_logfile_maxbytes=0
>>>>>>>> user = root
>>>>>>>> autostart = true
>>>>>>>> autorestart = true
>>>>>>>> priority = 5
>>>>>>>> stopwaitsecs = 20
>>>>>>>> ```
>>>>>>>>
>>>>>>>
>>>>>>>> I don't know if the newrelic daemon requires root, so this
>>>>>>>> configuration runs as root in this example, but please use another
>>>>>>>> account
>>>>>>>> if possible.
>>>>>>>>
>>>>>>>> I haven't tested it myself, but technically it should work.
>>>>>>>>
>>>>>>>> -- Takashi
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>> ```
>>>>>>>>> wget -r -l1 -nd -A"linux.tar.gz"
>>>>>>>>> https://download.newrelic.com/php_agent/release/
>>>>>>>>> gzip -dc newrelic*.tar.gz | tar xf -
>>>>>>>>> cd newrelic-php5*
>>>>>>>>> rm -f
>>>>>>>>> /opt/php56/lib/x86_64-linux-gnu/extensions/no-debug-non-zts-20131226/newrelic.so
>>>>>>>>> cp ./agent/x64/newrelic-20131226.so
>>>>>>>>> /opt/php56/lib/x86_64-linux-gnu/extensions/no-debug-non-zts-20131226/newrelic.so
>>>>>>>>> cp ./daemon/newrelic-daemon.x64 /usr/bin/newrelic-daemon
>>>>>>>>>
>>>>>>>>> sed -i -e 's/"REPLACE_WITH_REAL_KEY"/*yourLicenseKey*/g'
>>>>>>>>> ./scripts/newrelic.ini.template
>>>>>>>>> sed -i -e 's/PHP Application/*yourApplicationName*/g'
>>>>>>>>> ./scripts/newrelic.ini.template
>>>>>>>>> cp ./scripts/newrelic.ini.template
>>>>>>>>> /opt/php56/lib/ext.enabled:/opt/php56/lib/conf.d:/app/newrelic.ini
>>>>>>>>>
>>>>>>>>> /usr/bin/newrelic-daemon start
>>>>>>>>> ```
>>>>>>>>> 2. I saw there are 2 or 3 instances in flex env, it seems I have
>>>>>>>>> to install New Relic (NR) agent on each one, right? (because every
>>>>>>>>> instance
>>>>>>>>> is independent to hold the app, I didn't see NR agent on the 1st
>>>>>>>>> instance
>>>>>>>>> if I only installed on 2nd or 3rd)
>>>>>>>>>
>>>>>>>>> On Monday, May 1, 2017 at 9:46:20 AM UTC-7, Takashi Matsuo
>>>>>>>>> (Google) wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Yao,
>>>>>>>>>>
>>>>>>>>>> > 1. flex env doesn't support handlers for routing?
>>>>>>>>>>
>>>>>>>>>> No Flex doesn't support handlers. Instead you can put a partial
>>>>>>>>>> config file for nginx. Put a file named nginx-app.conf. The default
>>>>>>>>>> configuration is as follows:
>>>>>>>>>>
>>>>>>>>>> ```
>>>>>>>>>> location / {
>>>>>>>>>> # try to serve files directly, fallback to the front controller
>>>>>>>>>> try_files $uri /index.php$is_args$args;
>>>>>>>>>> }
>>>>>>>>>> ```
>>>>>>>>>>
>>>>>>>>>> > Can I migrate traffic from default service (on standard
>>>>>>>>>> environment) to monitor one (on flex)? Or update monitor to default
>>>>>>>>>> service?
>>>>>>>>>>
>>>>>>>>>> AFAIK, there's no way to do that, but instead you can use
>>>>>>>>>> versions.
>>>>>>>>>>
>>>>>>>>>> Remove `service` from the app.yaml (so it's default service), and
>>>>>>>>>> deploy with `--version` option as follows:
>>>>>>>>>>
>>>>>>>>>> ```
>>>>>>>>>> $ gcloud app deploy --version=api-flex --no-promote
>>>>>>>>>> --no-stop-previous-version
>>>>>>>>>> ```
>>>>>>>>>>
>>>>>>>>>> You can migrate traffic between versions.
>>>>>>>>>>
>>>>>>>>>> On Mon, May 1, 2017 at 8:46 AM Yao Li <y...@sazze.com> wrote:
>>>>>>>>>>
>>>>>>>>> How about deploying without specifying service name in app.yaml?
>>>>>>>>>>> It will replace the current default service, right?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Friday, April 28, 2017 at 4:51:26 PM UTC-7, Yao Li wrote:
>>>>>>>>>>>
>>>>>>>>>> <blockquote class="gmail_quote" style="margin:0
>>>>>>>>>>
>>>>>>>>>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/9a9bf163-b439-4f17-9d4f-dc913a594b31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
