3

I have a GRPC Web client and a GRPC Server and I am using envoy proxy from the conversion of HTTP 1.1 to HTTP2.

My server creation Logic uses TLS. The code is as follows:

    var opts []grpc.ServerOption
    creds, err := credentials.NewServerTLSFromFile("cert/server.crt", "cert/server.key")
    if err != nil {
        log.Fatalf("Failed to generate credentials %v", err)
    }
    opts = []grpc.ServerOption{grpc.Creds(creds)}
    server := grpc.NewServer(opts...)

I am calling the From my react client as follows:

const client = new LiveClient('http://localhost:8080')
const request = new GetLiveRequest()
    request.setApi(1)
    request.setTrackkey(trackKey)

    // on success response
    const stream = client.getLive(request, {})
    stream.on('data', response => {
         console.log(response);
    }

The envoy.yaml is as follows:

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 8080 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: greeter_service
                  max_grpc_timeout: 0s
              cors:
                allow_origin:
                - "*"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                max_age: "1728000"
                expose_headers: custom-header-1,grpc-status,grpc-message
          http_filters:
          - name: envoy.grpc_web
          - name: envoy.cors
          - name: envoy.router
      tls_context:
        common_tls_context:
          alpn_protocols: "h2"
          tls_certificates:
            - certificate_chain:
                filename: "/etc/server.crt"
              private_key:
                filename: "/etc/server.key"
  clusters:
  - name: greeter_service
    connect_timeout: 0.25s
    type: logical_dns
    http2_protocol_options: {}
    lb_policy: round_robin
    hosts: [{ socket_address: { address: app, port_value: 3000 }}]

The Dockerfile for envoy is as follows:

FROM envoyproxy/envoy:36f39c746eb7d03b762099b206403935b11972d8
COPY ./envoy.yaml /etc/envoy/envoy.yaml

ADD ./cert/server.crt /etc/server.crt
ADD ./cert/server.key /etc/server.key
ADD ./cert/server.csr /etc/server.csr

WORKDIR /etc/envoy
CMD /usr/local/bin/envoy -c /etc/envoy/envoy.yaml

I am getting the following error when:

{code: 2, message: "Http response at 400 or 500 level"}

But when I remove the SSL authentication from backend server. It is working fine. I have also created a grpc client and TLS is working fine with it. I am unable to find what is going wrong in my envoy configuration for TLS.

On further investigation in am getting following in envoy logs. TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

The TLS certificates are working fine if I use it with envoy by directly using a GRPC client.

Anshu Kumar
  • 807
  • 1
  • 8
  • 27

2 Answers2

6

Your backend is already talking HTTPS through. So you don't need to configure tls_context in the envoy's config. And you have to use tcp_proxy instead of http_connection_manager Here. You also need to configure transport_socket for the proxy of your TLS backend Here.

static_resources:
  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8080
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                access_log:
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto
                  #
                  # You can also configure this extension with the qualified
                  # name envoy.access_loggers.http_grpc
                  # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/grpc/v3/als.proto
                  - name: envoy.access_loggers.file
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/access_loggers/file/v3/file.proto#extensions-access-loggers-file-v3-fileaccesslog
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      # Console output
                      path: /dev/stdout
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: /
                            grpc:
                          route:
                            cluster: greeter_service
                      cors:
                        allow_origin_string_match:
                          - prefix: "*"
                        allow_methods: GET, PUT, DELETE, POST, OPTIONS
                        # custom-header-1 is just an example. the grpc-web
                        # repository was missing grpc-status-details-bin header
                        # which used in a richer error model.
                        # https://grpc.io/docs/guides/error/#richer-error-model
                        allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,grpc-status-details-bin,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout,authorization
                        expose_headers: grpc-status-details-bin,grpc-status,grpc-message,authorization
                        max_age: "1728000"
                http_filters:
                  - name: envoy.filters.http.grpc_web
                    # This line is optional, but adds clarity to the configuration.
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                  - name: envoy.filters.http.cors
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                  - name: envoy.filters.http.router
                    typed_config:
                      # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/transport_sockets/tls/v3/tls.proto#extensions-transport-sockets-tls-v3-downstreamtlscontext
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      # Certificate must be PEM-encoded
                      filename: /etc/fullchain.pem
                    private_key:
                      filename: /etc/privkey.pem

  clusters:
    # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
    - name: greeter_service
      type: LOGICAL_DNS
      connect_timeout: 0.25s
      lb_policy: round_robin
      load_assignment:
        cluster_name: greeter_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: app
                      port_value: 3000
      http2_protocol_options: {} # Force HTTP/2
      # Your grpc server communicates over TLS. You must configure the transport
      # socket. If you care about the overhead, you should configure the grpc
      # server to listen without TLS. If you need to listen to grpc-web and grpc
      # over HTTP/2 both you can also proxy your TCP traffic with the envoy.
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
Данил Шевченко
  • 76
  • 3
  • It will be helpful if you can provide me with changes I need to do in envoy.yaml – Anshu Kumar Jul 15 '20 at 03:52
  • 1
    Your envoy.yaml uses the legacy envoy configuration format and needs to be rewritten completely. Use the envoy documentation (https://envoyproxy.io) when creating a config file, instead of copying configs from outdated posts. – Данил Шевченко Jul 26 '20 at 05:08
  • Note that this configuration is part of the [official gRPC-web documentation](https://github.com/grpc/grpc-web/tree/master/net/grpc/gateway/examples/helloworld#configure-the-proxy). Maybe, you could submit a pull request to enable a broad audience from googling for a solution. – koppor Jan 31 '21 at 00:11
0

Have you tried calling HTTPS from client?

const client = new LiveClient('https://localhost:8080')

Without this I'm getting Http response at 400 or 500 level as well.

dmaixner
  • 808
  • 1
  • 7
  • 16