TLS 中的 GRPC-Web 连接问题

【问题标题】:GRPC-Web connectivity issue in TLSTLS 中的 GRPC-Web 连接问题
【发布时间】:2020-09-29 20:05:58
【问题描述】:

我有一个 GRPC Web 客户端和一个 GRPC 服务器,我正在使用 envoy 代理从 HTTP 1.1 到 HTTP2 的转换。

我的服务器创建逻辑使用 TLS。代码如下:

    var opts []grpc.ServerOption
    creds, err := credentials.NewServerTLSFromFile("cert/server.crt", "cert/server.key")
    if err != nil {
        log.Fatalf("Failed to generate credentials %v", err)
    }
    opts = []grpc.ServerOption{grpc.Creds(creds)}
    server := grpc.NewServer(opts...)

我从我的反应客户端调用如下:

const client = new LiveClient('http://localhost:8080')
const request = new GetLiveRequest()
    request.setApi(1)
    request.setTrackkey(trackKey)

    // on success response
    const stream = client.getLive(request, {})
    stream.on('data', response => {
         console.log(response);
    }

envoy.yaml如下:

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 8080 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: greeter_service
                  max_grpc_timeout: 0s
              cors:
                allow_origin:
                - "*"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                max_age: "1728000"
                expose_headers: custom-header-1,grpc-status,grpc-message
          http_filters:
          - name: envoy.grpc_web
          - name: envoy.cors
          - name: envoy.router
      tls_context:
        common_tls_context:
          alpn_protocols: "h2"
          tls_certificates:
            - certificate_chain:
                filename: "/etc/server.crt"
              private_key:
                filename: "/etc/server.key"
  clusters:
  - name: greeter_service
    connect_timeout: 0.25s
    type: logical_dns
    http2_protocol_options: {}
    lb_policy: round_robin
    hosts: [{ socket_address: { address: app, port_value: 3000 }}]

envoy 的 Dockerfile 如下:

FROM envoyproxy/envoy:36f39c746eb7d03b762099b206403935b11972d8
COPY ./envoy.yaml /etc/envoy/envoy.yaml

ADD ./cert/server.crt /etc/server.crt
ADD ./cert/server.key /etc/server.key
ADD ./cert/server.csr /etc/server.csr

WORKDIR /etc/envoy
CMD /usr/local/bin/envoy -c /etc/envoy/envoy.yaml

我在以下情况下收到以下错误:

{code: 2, message: "Http response at 400 or 500 level"}

但是当我从后端服务器中删除 SSL 身份验证时。它工作正常。我还创建了一个 grpc 客户端,并且 TLS 可以正常工作。 我找不到我的 TLS 特使配置出了什么问题。

正在进一步调查特使日志中的关注。 TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

如果我通过直接使用 GRPC 客户端将 TLS 证书与 envoy 一起使用,则它可以正常工作。

【问题讨论】:

  • 您是否尝试过更新容器的 openssl 版本?
  • @idelvall 是的,它不起作用

标签: grpc envoyproxy grpc-node grpc-web


【解决方案1】:

您的后端已经通过 HTTPS 进行通信。所以你不需要在 envoy 的配置中配置 tls_context。你必须使用 tcp_proxy 而不是 http_connection_manager Here。您还需要为您的 TLS 后端 Here 的代理配置 transport_socket。

static_resources:
  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8080
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                access_log:
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto
                  #
                  # You can also configure this extension with the qualified
                  # name envoy.access_loggers.http_grpc
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/grpc/v3/als.proto
                  - name: envoy.access_loggers.file
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto#extensions-access-loggers-file-v3-fileaccesslog
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      # Console output
                      path: /dev/stdout
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: /
                            grpc:
                          route:
                            cluster: greeter_service
                      cors:
                        allow_origin_string_match:
                          - prefix: "*"
                        allow_methods: GET, PUT, DELETE, POST, OPTIONS
                        # custom-header-1 is just an example. the grpc-web
                        # repository was missing grpc-status-details-bin header
                        # which used in a richer error model.
                        # https://grpc.io/docs/guides/error/#richer-error-model
                        allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,grpc-status-details-bin,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout,authorization
                        expose_headers: grpc-status-details-bin,grpc-status,grpc-message,authorization
                        max_age: "1728000"
                http_filters:
                  - name: envoy.filters.http.grpc_web
                    # This line is optional, but adds clarity to the configuration.
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                  - name: envoy.filters.http.cors
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                  - name: envoy.filters.http.router
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/transport_sockets/tls/v3/tls.proto#extensions-transport-sockets-tls-v3-downstreamtlscontext
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      # Certificate must be PEM-encoded
                      filename: /etc/fullchain.pem
                    private_key:
                      filename: /etc/privkey.pem

  clusters:
    # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
    - name: greeter_service
      type: LOGICAL_DNS
      connect_timeout: 0.25s
      lb_policy: round_robin
      load_assignment:
        cluster_name: greeter_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: app
                      port_value: 3000
      http2_protocol_options: {} # Force HTTP/2
      # Your grpc server communicates over TLS. You must configure the transport
      # socket. If you care about the overhead, you should configure the grpc
      # server to listen without TLS. If you need to listen to grpc-web and grpc
      # over HTTP/2 both you can also proxy your TCP traffic with the envoy.
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

【讨论】:

  • 如果你能提供我需要在 envoy.yaml 中做的更改会很有帮助
  • 你的 envoy.yaml 使用了遗留的 envoy 配置格式,需要完全重写。在创建配置文件时使用 envoy 文档 (envoyproxy.io),而不是从过时的帖子中复制配置。
  • 请注意,此配置是official gRPC-web documentation 的一部分。也许,您可以提交一个拉取请求,让广大受众通过谷歌搜索解决方案。
【解决方案2】:

您是否尝试过从客户端调用 HTTPS?

const client = new LiveClient('https://localhost:8080')

如果没有这个,我也会收到Http response at 400 or 500 level

【讨论】:

  • 是的,我试过了。问题是我无法在 gRPC 中设置上游 TLS
猜你喜欢
  • 2014-12-30
  • 1970-01-01
  • 2020-04-21
  • 2021-06-09
  • 2021-12-03
  • 2012-08-23
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode