Dispatching grpc requests to multiple servers via Nginx - nginx

Having a grpc client and server and they are exchanging messages in grpc unary mode. I want to log all the messages the client sends to the server without changing a single line of code in both client or server. I came across to Nginx with its new graceful grpc support. Is it possible to route grpc messages from client to server via Nginx while sending a copy of them to a remote logging service? If No, please let me know if there are any other tools out there that do the same stuff.

Related

TLS in golang http and grpc server

I've seen that some app developed in Go run without tls enabled from the app, rather enabled in its proxy server(nginx). The requests coming to the app is encrypted at the nginx side only. So the Go http server is served using only http.ListenAndServe.
While using gRPC, I've seen the gRPC server served without tls enabled, and the client dial with insecure mode enabled.
I assumed all of this because you only need enable tls only if you serve requests coming from outside(external networks). If you use http and grpc for internal services communication within internal network in microservices architecture, you don't need enable tls at all since it only adds overhead. Is this true?
How is tls properly applied in Golang development for http and gRPC server?

http over wiregarud vs pure https

I have a HTTP service running on a server that is to be used by my android application. I am thinking about various way to so that clients can send data to server in a secure manner. One common way is to use HTTPS protocol and have an load-balancer or a proxy that do the SSL termination.
Instead, I am thinking of using wiregaurd as a secure medium for communication. So I will first install wiregarud client as a part of my android application and send all the traffic through this wiregarud channel to the server which is being served from an http endpoint.
Which of the two approaches are better in terms of security and speed?

grpc - is TLS necessary if https enabled?

I'm newbie of grpc and have played with simple grpc clients of java, go, and python. I know basic http and https but not familiar with protocal details. So this question may be rediculous to you but I didn't find any explaination online.
I know grpc has insecure(go: grpc.WithInsecure(), python: grpc.insecure_channel, java: usePlaintext()) and secure mode(TLS). and grpc is based on httpv2, and http has security mode(https).
So what if use insecure grpc with https? Is the overall data transfer safe?
And what if use TLS grpc with https? Is there performance overhead(becuase I think the messages are encrypted twice)?
Thank you for any answer, any exsiting webpages explaining such topic that will be best!
Insecure implies http. And TLS implies https. So there's no way "to use insecure grpc with https", as at that point it is then http.
There is no double-encryption. The gRPC security mode is the same as the HTTP security mode.
Using gRPC over TLS is highly recommended if you gRPC server is serving requests coming from outside(external network). For example you're creating front end app in javascript serving user requests. Your javascript app make call to your gRPC server for APIs your server provide. Your javascript communicate to your gRPC server through stub created in javascript end. At the end of your gRPC server, you need to set tls mechanism to secure communication between your javascript app and your gRPC server(because requests coming from outside).
gRPC somehow mostly used for internal services communication inside internal network in microservice architecture. You don't need to set tls for internal network usage since requests coming from your own environment from within your watch.
If you want to apply something like "gRPC over HTTPS", then you need something like gateway to map your http call to your gRPC server. Check this out.
You need to compile your proto file as gateway service definitions as well using provided tools. Now you can create your normal http server with tls enabled through something like http.ListenAndServeTLS(...). Dont forget to register your grpc server to the http server using the service definitions compiled from the proto file. With this all your requests to are encrypted with tls to your http server like normal rest apis do, but get proxied to gRPC server you defined. There's no need to enable tls at your gRPC server since it has been enabled in your http server.

Network traffic forwarding over grpc port

I have a requirement where I need to forward all the request from different sources to another network by grpc.
Request Server<-> Grpc Client <-> Internet <-> Grpc Server <-> Resource Server.
Request server and grpc client on same network.
Resource server and grpc server are on same network .
How to do I forward request server request to port that is sending data to grpc server ?
MY grpc server and client are in java so using grpc-java interface.
It sounds like you want a grpc-java-based proxy. "Grpc Client" in your diagram could be any HTTP/2 proxy. But you could use grpc-java to implement it.
I made an example generic proxy a while back. It does not need any information about the methods it is proxying. You basically just create a new outbound RPC for each inbound RPC and plug the inputs of one to the outputs of the other and vise versa.

grpc - Invert Request/Response flow: server requests, clients responds

As explained in the grpc overview, the default flow is that a client connects to the server and sends requests, to which the server responds adequately (well, hopefully).
I'm interested in using grpc for a new project, but the flow must be inverted. I want the client to answer questions. But it can't be the server since it'll be hidden behind firewalls and may not listen on ports.
The flow I need is:
Server is listening as usual
Client connects to the server as usual
From then on, the server asks questions (sends requests), and the client answers them, and not the other way around as is usual.
Is there a way to do that with grpc? It can involve network configuration on the server side, but none is possible on the client side.
gRPC natively supports bi-directional streaming. And what you need can be achieved by that.
Client connects to server, wait to read server message (questions)
Server asks questions (sends messages to client)
Client replies (sends messages to server)

Resources