grpc / grpc-web

gRPC for Web Clients
https://grpc.io
Apache License 2.0
8.66k stars 764 forks source link

not feching envoy with backend if I use ssl for grpc grpc-web #1098

Open SHUFIL opened 3 years ago

SHUFIL commented 3 years ago

Not feching envoy with backend if I use ssl for grpc grpc-web , But if i use without ssl envoy , it getting correctly both grpc and grpc-web. envoy using 1.18 version, and forcely using http2, always getting below error

[METADATA][2021-06-23 10:31:03.668][13][trace][connection] [source/common/network/connection_impl.cc:506] [C2] socket event: 2
[METADATA][2021-06-23 10:31:03.668][13][trace][connection] [source/common/network/connection_impl.cc:607] [C2] write ready
[METADATA][2021-06-23 10:31:03.668][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:190] [C2] handshake expecting read
[METADATA][2021-06-23 10:31:03.831][13][trace][connection] [source/common/network/connection_impl.cc:506] [C2] socket event: 3
[METADATA][2021-06-23 10:31:03.831][13][trace][connection] [source/common/network/connection_impl.cc:607] [C2] write ready
[METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:197] [C2] handshake error: 1
[METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C2] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[METADATA][2021-06-23 10:31:03.831][13][debug][connection] [source/common/network/connection_impl.cc:208] [C2] closing socket: 0
[METADATA][2021-06-23 10:31:05.294][1][debug][upstream] [source/common/upstream/upstream_impl.cc:278] transport socket match, socket default selected for host with address 172.20.120.201:8081

backend working with 172.20.120.201:8081 IP and port Below I'm using envoy conf with ssl

admin:
  access_log_path: /dev/stdout
  address:
    socket_address: { address: 0.0.0.0, port_value: 8801 }
static_resources:
  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8803
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                access_log:
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto
                  #
                  # You can also configure this extension with the qualified
                  # name envoy.access_loggers.http_grpc
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/grpc/v3/als.proto
                  - name: envoy.access_loggers.file
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto#extensions-access-loggers-file-v3-fileaccesslog
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      # Console output
                      path: /dev/stdout
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains:
                        - "test.domain.com"
                      routes:
                        - match:
                            prefix: /
                            grpc:
                          route:
                            cluster: tkmicro
                      cors:
                        allow_origin_string_match:
                          - prefix: "*"
                        allow_methods: GET, PUT, DELETE, POST, OPTIONS
                        # custom-header-1 is just an example. the grpc-web
                        # repository was missing grpc-status-details-bin header
                        # which used in a richer error model.
                        # https://grpc.io/docs/guides/error/#richer-error-model
                        allow_headers: accept-language,accept-encoding,user-agent,referer,sec-fetch-mode,origin,access-control-request-headers,access-control-request-method,accept,cache-control,pragma,connection,host,name,x-grpc-web,x-user-agent,grpc-timeout,content-type,channel,api-key,lang
                        expose_headers: grpc-status-details-bin,grpc-status,grpc-message,authorization
                        max_age: "1728000"
                http_filters:
                  - name: envoy.filters.http.grpc_web
                    # This line is optional, but adds clarity to the configuration.
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                  - name: envoy.filters.http.cors
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                  - name: envoy.filters.http.grpc_json_transcoder
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder
                      proto_descriptor: "/home/ubuntu/envoy/sync.pb"
                      ignore_unknown_query_parameters: true
                      services:
                        - "com.tk.system.sync.Synchronizer"
                      print_options:
                        add_whitespace: true
                        always_print_primitive_fields: true
                        always_print_enums_as_ints: true
                        preserve_proto_field_names: true
                  - name: envoy.filters.http.router
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                alpn_protocols: "h2"
                tls_certificates:
            - certificate_chain:
                inline_string: |
                  -----BEGIN CERTIFICATE-----
                  MIIFyTCCBLGgAwIBA7gIRALSd5cAbClvwTierhXPozw4wDQYJKoZIhvcNAQELBQA
                  gY8xCzAJBgNVBAYTAkdCMRs7wGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXI
                  q+i9N5HIlXOev24xY5GSDiGQekUB8J7D8YQQ1IoCiFdPtpe8gFOkCGcGN1tUi80ft
                  RVWrwn8TdJT3qwmnQb2r30W6Abz//BcomAa7mSRpxK01CEzQm5mukeeL1kvp
                  -----END CERTIFICATE-----
              private_key:
                inline_string: |
                  -----BEGIN RSA PRIVATE KEY-----
                  MIIEpQIBAAKCAQEAvRWWc/Wg8uLpvNGVJ3NNv7dad6lO99lMn6K5mxjAVkRjBh1K
                  2CMKJavnoyhF+6Y12AG6B7RFz26t28AOWFkwzi7vzJXGXx+CyRyrjKMGfPFkfbcdjjjjj
                  YAp2fPpfba3vIDdW3Hg4puOKKrOFEZCGMJUzgKF1EAab1n9zGF44NGU=
                  -----END RSA PRIVATE KEY-----

  clusters:
    # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
    - name: tkmicro
      type: LOGICAL_DNS
      connect_timeout: 0.25s
      lb_policy: round_robin
      load_assignment:
        cluster_name: tkmicro
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 172.20.120.201
                      port_value: 8081
      http2_protocol_options: {} # Force HTTP/2
muhaarif commented 3 years ago

Even k8 also getting same error , am using NLB with ACM , domain name pointed with router53.

santiihoyos commented 2 years ago

Also I think docs about envoy setup should be update to new Envoy API specification.