Closed hiranya911 closed 4 years ago
It seems the auth library is at fault here. It's not connecting to the HTTP proxy correctly.
If I just set the HTTP_PROXY
variable, I can get Firestore to go through the proxy. But in that case the credentials will not go through the proxy.
D1215 13:57:28.712727343 26718 dns_resolver.cc:338] Using native dns resolver
D1215 13:57:28.787131284 26718 dns_resolver.cc:279] Start resolving.
I1215 13:57:28.800943867 26718 ssl_transport_security.cc:174] OpenSSL callback has already been set.
I1215 13:57:28.821523393 26718 handshaker.cc:141] handshake_manager 0x35d2170: adding handshaker http_connect [0x338d2c0] at index 0
I1215 13:57:28.821620747 26718 handshaker.cc:141] handshake_manager 0x35d2170: adding handshaker security [0x35d1090] at index 1
I1215 13:57:28.821647440 26718 handshaker.cc:212] handshake_manager 0x35d2170: error="No Error" shutdown=0 index=0, args={endpoint=0x33cfed0, args=0x3318ca0 {size=10: grpc.primary_user_agent=grpc-node/1.16.1, grpc.client_channel_factory=0x7f406739f520, grpc.channel_credentials=0x33b2480, grpc.server_uri=dns:///firestore.googleapis.com:443, grpc.channelz_channel_node_creation_func=0x7f406712be50, grpc.http_connect_server=firestore.googleapis.com:443, grpc.default_authority=firestore.googleapis.com:443, grpc.http2_scheme=https, grpc.security_connector=0x34ca5e0, grpc.subchannel_address=ipv4:127.0.0.1:3128}, read_buffer=0x338e500 (length=0), exit_early=0}
I1215 13:57:28.821656912 26718 handshaker.cc:258] handshake_manager 0x35d2170: calling handshaker http_connect [0x338d2c0] at index 0
I1215 13:57:28.821662952 26718 http_connect_handshaker.cc:300] Connecting to server firestore.googleapis.com:443 via HTTP proxy ipv4:127.0.0.1:3128
I1215 13:57:28.851203756 26718 handshaker.cc:212] handshake_manager 0x35d2170: error="No Error" shutdown=0 index=1, args={endpoint=0x33cfed0, args=0x3318ca0 {size=10: grpc.primary_user_agent=grpc-node/1.16.1, grpc.client_channel_factory=0x7f406739f520, grpc.channel_credentials=0x33b2480, grpc.server_uri=dns:///firestore.googleapis.com:443, grpc.channelz_channel_node_creation_func=0x7f406712be50, grpc.http_connect_server=firestore.googleapis.com:443, grpc.default_authority=firestore.googleapis.com:443, grpc.http2_scheme=https, grpc.security_connector=0x34ca5e0, grpc.subchannel_address=ipv4:127.0.0.1:3128}, read_buffer=0x338e500 (length=0), exit_early=0}
I1215 13:57:28.851230553 26718 handshaker.cc:258] handshake_manager 0x35d2170: calling handshaker security [0x35d1090] at index 1
I1215 13:57:28.901747144 26718 handshaker.cc:212] handshake_manager 0x35d2170: error="No Error" shutdown=0 index=2, args={endpoint=0x33b3220, args=0x33acc00 {size=11: grpc.primary_user_agent=grpc-node/1.16.1, grpc.client_channel_factory=0x7f406739f520, grpc.channel_credentials=0x33b2480, grpc.server_uri=dns:///firestore.googleapis.com:443, grpc.channelz_channel_node_creation_func=0x7f406712be50, grpc.http_connect_server=firestore.googleapis.com:443, grpc.default_authority=firestore.googleapis.com:443, grpc.http2_scheme=https, grpc.security_connector=0x34ca5e0, grpc.subchannel_address=ipv4:127.0.0.1:3128, grpc.auth_context=0x33c1b20}, read_buffer=0x338e500 (length=0), exit_early=0}
I1215 13:57:28.901762578 26718 handshaker.cc:245] handshake_manager 0x35d2170: handshaking complete -- scheduling on_handshake_done with error="No Error"
I1215 13:57:28.901858190 26718 subchannel.cc:656] New connected subchannel at 0x3529ab0 for subchannel 0x35c0250
test-topic
Squid log:
1544911049.455 635 172.17.0.1 TCP_TUNNEL/200 4455 CONNECT firestore.googleapis.com:443 - HIER_DIRECT/216.58.195.74 -
It seems I must set the HTTPS_PROXY variable for the credentials to go through the proxy, but it doesn't work with plain HTTP.
@hiranya911 We've release 0.21.0 which addressed the issue with running behind a proxy. Can you try now and see if it resolves it? Thanks!
@stephenplusplus I understand you have a test utility for proxy issues - can you please take a look at this? Thanks :)
@stephenplusplus will help with verifying this
I believe @ajaaym found a solution:
can you please try setting both env variable https_proxy & HTTPS_PROXY GRPC uses https_proxy and authentication which goes through normal node request uses HTTPS_PROXY.
@JustinBeckwith @jkwlui with the release of 2.1.1 i can no longer hit firestore over a proxy. i have tried setting https_proxy, HTTPS_PROXY, http_proxy, HTTP_PROXY. It looks like 2.1.1 added "@grpc/grpc-js": "0.4.0". and from taking a quick look in that repo i dont see anything about grpc-js accepting proxy support? What do either of you think would be the best way to move forward?
That's unfortunate, I will look into that. I believe you could use a workaround where you provide the proxy endpoint programmatically in the constructor. @schmidt-sebastian is that possible? In other languages, it would look something like:
new Client({ apiEndpoint: 'https://localhost:8080' })
new Client({ host: 'localhost', port: '8080' })
The recommended syntax is:
new Client({ host: 'localhost:8080' })
apiEndpoint
and servicePath
should also work.
Note: We now also support non-SSL endpoints directly:
new Client({ host: 'localhost:8080'; ssl: false });
so that would work fine, but im behind a corporate proxy and need to pass in proxy authentication credentials. whenever i do so i get a Value for argument "settings.host" is not a valid host.
@schmidt-sebastian @stephenplusplus
in addition im getting this issue across other google apis projects like dialogflow or probably anything that is using grpc-js.
@amammay How do you pass these credentials? If they are HTTP headers, you can pass them in a such
const firestore = new Firestore({
customHeaders: {
"X-Name": "Value"
}
});
@schmidt-sebastian well passing in the credentials would be of the format of
http://[user]:[pass]@hostname:port
and for the firebase settings you can only pass in host and port as https://github.com/googleapis/nodejs-firestore/blob/master/types/firestore.d.ts#L56
FWIW, we also support servicePath
and apiEndpoint
, which are passed directly to the underlying layer. I haven't yet been able to confirm that the support passing credentials as you suggested.
@hiranya911 Is this still an issue? We are now using Node's HTTP2 module for our networking.
I've never tried this scenario with a proxy that requires authentication. Does the new implementation still support the https_proxy
environment variable?
I have not been able to successfully proxy any Firestore calls. I can proxy the token call but no requests to Firestore actually hit the proxy. I am using the latest version.
The admin SDK uses grpc-js, which currently does not support proxies (issue). However, the native grpc library does support proxies using HTTP_PROXY
.
One way to circumvent this limitation would be to provide a the native GRPC implementation to the admin SDK via the constructor argument as detailed in this comment, which also details why we use grpc-js instead of native grpc.
@thebrianchen thanks for the tip. I gave this a shot, configured my app as the comment suggests, and using Charles proxy on my machine and I see the auth call hit the proxy but I do not see any calls to my Firestore database that hit the proxy. "firebase-admin": "8.8.0" "grpc": "1.24.2"
@thebrianchen my apologies, I am hitting the proxy now I was using the wrong casing for the environment variable. HTTP_PROXY !== http_proxy
@thebrianchen thank you!!
@zamnuts would you mind giving this a glance when you have a chance? From your recent experience with proxy support inside grpc-node, maybe we've resolved this already? And if not, do you know what issues are standing in the way?
@grpc/grpc-js
0.7.x adds supports for the HTTP_PROXY environment variable. We need to update our dependency and then we should be able to close this issue.
If you update your dependencies, you should now be using @grpc/grpc-js@0.7.5
.
Environment details
@google-cloud/firestore
version: 0.19.0Steps to reproduce
Trying to access Firestore through a simple HTTP proxy. According to the instructions in this article, Node.js GRPC supports specifying a proxy via an environment variable.
HTTPS_PROXY
environment variableGRPC debug log
HTTP proxy log (Squid proxy access log)
Note that this problem is unique to the Firestore Node.js client. I've tried the same with Java and Go clients where this use case works fine.