Conceptual HTTPS/HTTP question for golang repository - http

I have a Gateway API that is built with Golang. We use the "net/http" library documented here https://pkg.go.dev/net/http#example-ListenAndServeTLS. This service has HTTPS connection set up. The connections to my ELB’s use HTTPS because I use TLS termination. So this one Gateway API has the ssl cert. But then passes the connection to a regular HTTP connection to the other instances.
In short, the Gateway API has HTTPs support, but the services connected to my Gateway API uses HTTP.
When I check my UI services, It shows that we are using HTTP 1.1 still. However from Golang's documentation the package "net/http" should provide HTTP 2.0 support automatically.
Do I need to upgrade my internal services to use HTTPs instead of HTTP in order to use http 2.0?
Sorry If this post comes off as ignorant or rude. I really appreciate anyone taking there time to read this, and am willing to provide any more information that Is needed.

http2 include h2(TLS) h2c(no TLS), net/http use h2 default when ListenAndServeTLS.
if you use http, net/http not use h2c, but http1.1 currently no browser supports HTTP/2 unencrypted
becase net/http don't support h2c default, if you want use h2c(non-TLS version of HTTP/2):
https://pkg.go.dev/golang.org/x/net#v0.0.0-20220421235706-1d1ef9303861/http2/h2c

Related

Grpc-Web Client in Java

I'm trying to connect to a grpc-service from a Java client. The problem is that this service is currently supporting only grpc-web over http1.1, this is because of a limitation of supporting http2 in Azure App service where the service is deployed.
The grpc-java client liberary from io.grpc only supports grpc over http2 protocol, which maskes sense, and unfortenatly is not working for me.
I managed to consume a service using HTTP client from apache and okhttp3 but this works for unary calls and it didn't work for a server-side streaming service.
Is any one aware of a grpc-web java client liberary that I could use or a work arround using convenienal Http for reading grpc-web server-side streaming service.
If I understand your question correctly, you want a Java client for gRPC-Web so that your client can talk HTTP/1.1 through a gRPC-Web proxy (e.g. Envoy gRPC-Web) because you're unable to talk HTTP/2 directly to your service because of the Azure networking limitation?
In theory this should be possible. The JavaScript implementation is because, in-browser, there's no alternative except JSON transcoding. The JavaScript implementation does implement server-side streaming, which is another requirement and confirms that this should be possible over HTTP/1.1.
However, in a quick search I found no other (i.e non-JavaScript) client implementations of gRPC-Web.

Why grpc-go can run grpc server and http server at the same address and port, but grpc-node cannot

I had read this answer: https://stackoverflow.com/a/56943771/6463558, it says that there is no way to run gRPC server and HTTP server at same address and port using grpc-node package.
But I can create gRPC server and HTTP server at same address and port(e.g. both using localhost:3000) using grpc-go package. Here is an example: https://github.com/mrdulin/grpc-go-cnode/blob/master/cmd/server/main.go#L79
So, why grpc-node and grpc-go behave inconsistently. Does this make sense?
The result I expect is that no matter what language is implemented in grpc, the behavior should be consistent. So the grpc server should be able to share the same port with the server created by Node's standard library http in same system process.
It is all about implementation. Each language has its own implementation for gRPC. There are many differences from each language implementation, some due to language capability but also due to the maintainers. Each project is a different project.
In this case, we can not really say that gRPC and HTTP servers are sharing the same address. There is only the HTTP server running. However, Golang implementation for gRPC server has an option to serv the gRPC through HTTP.
Calling
server.ServeHTTP()
instead of
server.Serve()
That is possible because, under the hood, gRPC server is built on top HTTP2
This snippet from the link you shared make what I said clear
if request.ProtoMajor != 2 {
mux.ServeHTTP(writer, request)
return
}
if strings.Contains(request.Header.Get("Content-Type"), "application/grpc") {
grpcServer.ServeHTTP(writer, request)
return
}
If you want to do the same in Node, you need to check in the grpc-node implementation if there is such a thing available
Your example uses http.NewServeMux(), which is provided by the Go standard library. The Node standard library does not provide an equivalent feature, so you can't share the port that way.

WebSockets not working with HTTP/2 Load Balancer backend in GCP

I have an application running behind a Load Balancer in Google Cloud Platform.
When I use the HTTPS protocol in the backend, I'm able to connect with WebSockets and all WebSocket connections work fine. However, when I change the backend protocol to HTTP/2, I'm unable to connect from the application, and it returns a response of 502 Bad Gateway.
Can I use WebSockets with HTTP/2, or do I need to perform some configuration in order to use WebSockets with an HTTP2 backend?
As others have commented, WebSockets are not supported in HTTP/2 and this is the reason why you receive the 5XX error.
Having said that, the WebSocket functionality is achievable (and improved) with HTTP/2 ref.
If you have existing code working with WebSocket it might not be great to rewrite both backend and frontend.
However, if you are developing a new asynchronous service, it is a good idea to take a look at the HTTP/2 + Server Sent Event (SSE) scheme.

grpc - is TLS necessary if https enabled?

I'm newbie of grpc and have played with simple grpc clients of java, go, and python. I know basic http and https but not familiar with protocal details. So this question may be rediculous to you but I didn't find any explaination online.
I know grpc has insecure(go: grpc.WithInsecure(), python: grpc.insecure_channel, java: usePlaintext()) and secure mode(TLS). and grpc is based on httpv2, and http has security mode(https).
So what if use insecure grpc with https? Is the overall data transfer safe?
And what if use TLS grpc with https? Is there performance overhead(becuase I think the messages are encrypted twice)?
Thank you for any answer, any exsiting webpages explaining such topic that will be best!
Insecure implies http. And TLS implies https. So there's no way "to use insecure grpc with https", as at that point it is then http.
There is no double-encryption. The gRPC security mode is the same as the HTTP security mode.
Using gRPC over TLS is highly recommended if you gRPC server is serving requests coming from outside(external network). For example you're creating front end app in javascript serving user requests. Your javascript app make call to your gRPC server for APIs your server provide. Your javascript communicate to your gRPC server through stub created in javascript end. At the end of your gRPC server, you need to set tls mechanism to secure communication between your javascript app and your gRPC server(because requests coming from outside).
gRPC somehow mostly used for internal services communication inside internal network in microservice architecture. You don't need to set tls for internal network usage since requests coming from your own environment from within your watch.
If you want to apply something like "gRPC over HTTPS", then you need something like gateway to map your http call to your gRPC server. Check this out.
You need to compile your proto file as gateway service definitions as well using provided tools. Now you can create your normal http server with tls enabled through something like http.ListenAndServeTLS(...). Dont forget to register your grpc server to the http server using the service definitions compiled from the proto file. With this all your requests to are encrypted with tls to your http server like normal rest apis do, but get proxied to gRPC server you defined. There's no need to enable tls at your gRPC server since it has been enabled in your http server.

Is the Nativescript HTTP module secure?

I make POST requests with the Nativescript HTTP module on my website that has an HTTPS address. Is it secure or the data is transmitted in clear? Thanking you.
Simple HTTPS calls can be still intercepted. So if your data is very much sensitive, for more secured connection you have to use SSL pinning thats supported by nativescript-https plug-in.

Resources