I have been looking for this for a while now. Still not sure if Envoy and Nginx does all the TLS stuff for a web-gRPC client.
In my case, my Nginx config works well with gRPC client and server. However, it is not working for web-gRPC client.
Nginx is no longer being actively supported for grpc-web. The default proxy for grpc-web is Envoy. You should be able to set up TLS by setting some config with the envoy.yaml file. In particularly, look under the 'tls_context' section.
Related
I have various nginx server and recently I note that by default response these servers responses using the HTTP/2 version of protocol.
I don't have configured the http2 parameter in nginx.conf.
Is this the right behavior?
No, that is not the default.
If you observe HTTP2 despite not configuring it in NGINX, you likely have a CDN in front of it, e.g. Cloudflare.
I'm newbie of grpc and have played with simple grpc clients of java, go, and python. I know basic http and https but not familiar with protocal details. So this question may be rediculous to you but I didn't find any explaination online.
I know grpc has insecure(go: grpc.WithInsecure(), python: grpc.insecure_channel, java: usePlaintext()) and secure mode(TLS). and grpc is based on httpv2, and http has security mode(https).
So what if use insecure grpc with https? Is the overall data transfer safe?
And what if use TLS grpc with https? Is there performance overhead(becuase I think the messages are encrypted twice)?
Thank you for any answer, any exsiting webpages explaining such topic that will be best!
Insecure implies http. And TLS implies https. So there's no way "to use insecure grpc with https", as at that point it is then http.
There is no double-encryption. The gRPC security mode is the same as the HTTP security mode.
Using gRPC over TLS is highly recommended if you gRPC server is serving requests coming from outside(external network). For example you're creating front end app in javascript serving user requests. Your javascript app make call to your gRPC server for APIs your server provide. Your javascript communicate to your gRPC server through stub created in javascript end. At the end of your gRPC server, you need to set tls mechanism to secure communication between your javascript app and your gRPC server(because requests coming from outside).
gRPC somehow mostly used for internal services communication inside internal network in microservice architecture. You don't need to set tls for internal network usage since requests coming from your own environment from within your watch.
If you want to apply something like "gRPC over HTTPS", then you need something like gateway to map your http call to your gRPC server. Check this out.
You need to compile your proto file as gateway service definitions as well using provided tools. Now you can create your normal http server with tls enabled through something like http.ListenAndServeTLS(...). Dont forget to register your grpc server to the http server using the service definitions compiled from the proto file. With this all your requests to are encrypted with tls to your http server like normal rest apis do, but get proxied to gRPC server you defined. There's no need to enable tls at your gRPC server since it has been enabled in your http server.
guys!
I build a chat application based on WebSocket. As backend I use PHP and nginx as a proxy for WebSocket connection.
Searching about PHP libs for WS gave me Ratchet. This tools support WAMP protocol. Something about it: http://wamp-proto.org/why/
Well, I've decided to use this protocol - it seems useful. I tuned nginx for proxy WebSocket connections in standard way. And for common using WebSocket at frontend/backend - all is ok.
But, if I start use WAMP at backend and try to use autobahn.js for WAMP at frontend, I catch 426 No Sec-WebSocket-Protocols requested supported as response every time. At PHP I see that connection from nginx is not receiving. So, as I understood, nginx doesn't process connection with WAMP subprotocol in right way.
So, I don't understand, should I use nginx as a proxy for WAMP? WAMP is just a subprotocol for WebSocket, but doesn't work for me.
Does anybody knows where problem is?
Seems like Nginx isn't forwarding the WebSocket subprotocol announced by the client to the backend WAMP router.
Try adding this to your Nginx conf:
proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol
See: https://stackoverflow.com/a/36506746/884770
I want to set up my web page to make HTTP2 requests to a Jetty API server. I read that browsers will only use the "h2" protocol, that is, HTTP2 with TLS. However, my setup has a kubernetes ingress performing SSL termination, and proxying a cleartext request back to the Jetty server. The dilemma is that I don't think I want to negotiate an "h2" connection using Jetty, because that would require an SSL context on that server.
My question is, will this setup allow a browser to perform HTTP2 requests? If so, what do I need to enable on the Jetty server in order to properly serve HTTP2 requests?
You can configure Jetty to serve clear-text HTTP/2 (also known as h2c), so that your setup will be:
browser -- h2 --> kubernetes tls termination -- h2c --> Jetty
In order to setup Jetty with clear-text HTTP/2, you just need to enable the http2c module if you are using Jetty as a standalone server, see http://www.eclipse.org/jetty/documentation/current/http2-enabling.html.
Alternatively, if you're using Jetty embedded you can look at this example.
I have a running HTTP web application and I am facing problems to make it run over HTTPS.
I am thinking of bringing some HTTPS Proxy that accepts user requests and forward it to the HTTP web app.
What do you think of that? and How can I accomplish that?
Setting up stunnel is a no-brainer - and its available for Unix/Linux/Posix/MSWindows (you might have mentioned what OS you are using).
(Also you can run the program to encrypt or decrpyt, at the server or at the client side)
It's possible to run Apache Httpd (for example) using HTTPS and use mod_proxy_http as a reverse proxy to forward the requests to your existing HTTP server. Of course, for this to be of any use, you'd need the reverse proxy and the target server to be connected in such a way that connections cannot be sniffed or altered.
You may find that the existing server needs certain extra settings for it to be aware it's using HTTPS (for example, special Valves in Apache Tomcat to set the HTTPS flag to true).
Apache httpd reverse-proxy?