3

我有一个 GRPC Web 客户端和一个 GRPC 服务器,我正在使用 envoy 代理从 HTTP 1.1 到 HTTP2 的转换。

我的服务器创建逻辑使用 TLS。代码如下:

    var opts []grpc.ServerOption
    creds, err := credentials.NewServerTLSFromFile("cert/server.crt", "cert/server.key")
    if err != nil {
        log.Fatalf("Failed to generate credentials %v", err)
    }
    opts = []grpc.ServerOption{grpc.Creds(creds)}
    server := grpc.NewServer(opts...)

我从我的反应客户端调用如下:

const client = new LiveClient('http://localhost:8080')
const request = new GetLiveRequest()
    request.setApi(1)
    request.setTrackkey(trackKey)

    // on success response
    const stream = client.getLive(request, {})
    stream.on('data', response => {
         console.log(response);
    }

envoy.yaml 如下:

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 8080 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: greeter_service
                  max_grpc_timeout: 0s
              cors:
                allow_origin:
                - "*"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                max_age: "1728000"
                expose_headers: custom-header-1,grpc-status,grpc-message
          http_filters:
          - name: envoy.grpc_web
          - name: envoy.cors
          - name: envoy.router
      tls_context:
        common_tls_context:
          alpn_protocols: "h2"
          tls_certificates:
            - certificate_chain:
                filename: "/etc/server.crt"
              private_key:
                filename: "/etc/server.key"
  clusters:
  - name: greeter_service
    connect_timeout: 0.25s
    type: logical_dns
    http2_protocol_options: {}
    lb_policy: round_robin
    hosts: [{ socket_address: { address: app, port_value: 3000 }}]

envoy 的 Dockerfile 如下:

FROM envoyproxy/envoy:36f39c746eb7d03b762099b206403935b11972d8
COPY ./envoy.yaml /etc/envoy/envoy.yaml

ADD ./cert/server.crt /etc/server.crt
ADD ./cert/server.key /etc/server.key
ADD ./cert/server.csr /etc/server.csr

WORKDIR /etc/envoy
CMD /usr/local/bin/envoy -c /etc/envoy/envoy.yaml

我在以下情况下收到以下错误:

{code: 2, message: "Http response at 400 or 500 level"}

但是当我从后端服务器中删除 SSL 身份验证时。它工作正常。我还创建了一个 grpc 客户端,并且 TLS 可以正常工作。我无法在我的 TLS 特使配置中找到问题所在。

在特使日志中得到关注的进一步调查。 TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

如果我通过直接使用 GRPC 客户端将 TLS 证书与 envoy 一起使用,则它可以正常工作。

4

2 回答 2

5

您的后端已经在通过 HTTPS 进行通信。所以你不需要在 envoy 的配置中配置 tls_context。而且你必须在这里使用 tcp_proxy 而不是http_connection_manager。您还需要为您的 TLS 后端的代理配置 transport_socket Here

static_resources:
  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8080
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                access_log:
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto
                  #
                  # You can also configure this extension with the qualified
                  # name envoy.access_loggers.http_grpc
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/grpc/v3/als.proto
                  - name: envoy.access_loggers.file
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto#extensions-access-loggers-file-v3-fileaccesslog
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      # Console output
                      path: /dev/stdout
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: /
                            grpc:
                          route:
                            cluster: greeter_service
                      cors:
                        allow_origin_string_match:
                          - prefix: "*"
                        allow_methods: GET, PUT, DELETE, POST, OPTIONS
                        # custom-header-1 is just an example. the grpc-web
                        # repository was missing grpc-status-details-bin header
                        # which used in a richer error model.
                        # https://grpc.io/docs/guides/error/#richer-error-model
                        allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,grpc-status-details-bin,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout,authorization
                        expose_headers: grpc-status-details-bin,grpc-status,grpc-message,authorization
                        max_age: "1728000"
                http_filters:
                  - name: envoy.filters.http.grpc_web
                    # This line is optional, but adds clarity to the configuration.
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                  - name: envoy.filters.http.cors
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                  - name: envoy.filters.http.router
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/transport_sockets/tls/v3/tls.proto#extensions-transport-sockets-tls-v3-downstreamtlscontext
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      # Certificate must be PEM-encoded
                      filename: /etc/fullchain.pem
                    private_key:
                      filename: /etc/privkey.pem

  clusters:
    # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
    - name: greeter_service
      type: LOGICAL_DNS
      connect_timeout: 0.25s
      lb_policy: round_robin
      load_assignment:
        cluster_name: greeter_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: app
                      port_value: 3000
      http2_protocol_options: {} # Force HTTP/2
      # Your grpc server communicates over TLS. You must configure the transport
      # socket. If you care about the overhead, you should configure the grpc
      # server to listen without TLS. If you need to listen to grpc-web and grpc
      # over HTTP/2 both you can also proxy your TCP traffic with the envoy.
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
于 2020-07-14T23:13:05.393 回答
0

您是否尝试过从客户端调用 HTTPS?

const client = new LiveClient('https://localhost:8080')

没有这个,我也会得到Http response at 400 or 500 level

于 2020-06-30T12:17:02.010 回答