I recently switched my Next.js site from Firebase hosting to Cloud Run, due to Next.js only having experimental support with Firebase, and many things were not properly working. After deleting the Firebase hosting and removing my domain from there, I've been facing a persistent issue.
I'm receiving continuous requests to mydomain.com/__/hosting/verification/, resulting in either 404 or 308 responses. These requests have origin "Google-Firebase", and since my Cloud Run service is protected by Cloudflare, they're coming from Cloudflare's IP.
The referrer for these requests is mydomain.com/__/hosting/verification/, and they seem to be caught in a redirect loop, as the requests are milliseconds apart, and eventually lead to a 404 error. I tried to block them with a custom firewall rule in Cloudflare, targeting mydomain.com/__/hosting/verification/, but the requests keep coming.
These continuous requests are keeping my container active and are leading to extra charges. I'm convinced they're actually originating from Firebase. How can I properly identify the issue or block this?
We luckily get some information from Firebase team:
This would be expected. When a domain is added, we have to check for this acme challenge in order to get ready to have an SSL Certificate. We check every minute for a set amount of time, then we reduce to only checking every hour, then to once a day.
When someone deletes a domain, we don't immediately remove the domain from our backend. This is because most of the time, people are moving their domains from one project to another, and they wouldn't want to wait for a new SSL certificate to be re-provisioned or have to go through the entire certification creation process again.
These requests will eventually stop.