Open SHUFIL opened 3 years ago
Not feching envoy with backend if I use ssl for grpc grpc-web , But if i use without ssl envoy , it getting correctly both grpc and grpc-web. envoy using 1.18 version, and forcely using http2, always getting below error
[METADATA][2021-06-23 10:31:03.668][13][trace][connection] [source/common/network/connection_impl.cc:506] [C2] socket event: 2 [METADATA][2021-06-23 10:31:03.668][13][trace][connection] [source/common/network/connection_impl.cc:607] [C2] write ready [METADATA][2021-06-23 10:31:03.668][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:190] [C2] handshake expecting read [METADATA][2021-06-23 10:31:03.831][13][trace][connection] [source/common/network/connection_impl.cc:506] [C2] socket event: 3 [METADATA][2021-06-23 10:31:03.831][13][trace][connection] [source/common/network/connection_impl.cc:607] [C2] write ready [METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:197] [C2] handshake error: 1 [METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C2] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER [METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/common/network/connection_impl.cc:208] [C2] closing socket: 0 [METADATA][2021-06-23 10:31:05.294][1][debug][upstream] [source/common/upstream/upstream_impl.cc:278] transport socket match, socket default selected for host with address 172.20.120.201:8081
backend working with 172.20.120.201:8081 IP and port Below I'm using envoy conf with ssl
admin: access_log_path: /dev/stdout address: socket_address: { address: 0.0.0.0, port_value: 8801 } static_resources: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener listeners: - name: listener_0 address: socket_address: address: 0.0.0.0 port_value: 8803 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http access_log: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto # # You can also configure this extension with the qualified # name envoy.access_loggers.http_grpc # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/grpc/v3/als.proto - name: envoy.access_loggers.file typed_config: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto#extensions-access-loggers-file-v3-fileaccesslog "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog # Console output path: /dev/stdout route_config: name: local_route virtual_hosts: - name: local_service domains: - "test.domain.com" routes: - match: prefix: / grpc: route: cluster: tkmicro cors: allow_origin_string_match: - prefix: "*" allow_methods: GET, PUT, DELETE, POST, OPTIONS # custom-header-1 is just an example. the grpc-web # repository was missing grpc-status-details-bin header # which used in a richer error model. # https://grpc.io/docs/guides/error/#richer-error-model allow_headers: accept-language,accept-encoding,user-agent,referer,sec-fetch-mode,origin,access-control-request-headers,access-control-request-method,accept,cache-control,pragma,connection,host,name,x-grpc-web,x-user-agent,grpc-timeout,content-type,channel,api-key,lang expose_headers: grpc-status-details-bin,grpc-status,grpc-message,authorization max_age: "1728000" http_filters: - name: envoy.filters.http.grpc_web # This line is optional, but adds clarity to the configuration. typed_config: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.cors typed_config: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors - name: envoy.filters.http.grpc_json_transcoder typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder proto_descriptor: "/home/ubuntu/envoy/sync.pb" ignore_unknown_query_parameters: true services: - "com.tk.system.sync.Synchronizer" print_options: add_whitespace: true always_print_primitive_fields: true always_print_enums_as_ints: true preserve_proto_field_names: true - name: envoy.filters.http.router typed_config: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: alpn_protocols: "h2" tls_certificates: - certificate_chain: inline_string: | -----BEGIN CERTIFICATE----- MIIFyTCCBLGgAwIBA7gIRALSd5cAbClvwTierhXPozw4wDQYJKoZIhvcNAQELBQA gY8xCzAJBgNVBAYTAkdCMRs7wGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXI q+i9N5HIlXOev24xY5GSDiGQekUB8J7D8YQQ1IoCiFdPtpe8gFOkCGcGN1tUi80ft RVWrwn8TdJT3qwmnQb2r30W6Abz//BcomAa7mSRpxK01CEzQm5mukeeL1kvp -----END CERTIFICATE----- private_key: inline_string: | -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAvRWWc/Wg8uLpvNGVJ3NNv7dad6lO99lMn6K5mxjAVkRjBh1K 2CMKJavnoyhF+6Y12AG6B7RFz26t28AOWFkwzi7vzJXGXx+CyRyrjKMGfPFkfbcdjjjjj YAp2fPpfba3vIDdW3Hg4puOKKrOFEZCGMJUzgKF1EAab1n9zGF44NGU= -----END RSA PRIVATE KEY----- clusters: # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster - name: tkmicro type: LOGICAL_DNS connect_timeout: 0.25s lb_policy: round_robin load_assignment: cluster_name: tkmicro endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 172.20.120.201 port_value: 8081 http2_protocol_options: {} # Force HTTP/2
Even k8 also getting same error , am using NLB with ACM , domain name pointed with router53.
Also I think docs about envoy setup should be update to new Envoy API specification.
Not feching envoy with backend if I use ssl for grpc grpc-web , But if i use without ssl envoy , it getting correctly both grpc and grpc-web. envoy using 1.18 version, and forcely using http2, always getting below error
backend working with 172.20.120.201:8081 IP and port Below I'm using envoy conf with ssl