You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/07/13 13:58:55 UTC
[GitHub] [incubator-apisix] houshunwei opened a new issue #1833: request help: how to proxy grpc to grpcs.
houshunwei opened a new issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833
### Issue description
I use Apisix as multi-cluster ingress as following picture shows. But I cannot go through ②,because apisix uses http to request upsterams by default。 Even I use proxy-rewrite plugins to force use https, it has the same error log in `APISIX2 Cluster`:
```
172.20.56.141 - - [13/Jul/2020:11:02:36 +0800] - "PRI * HTTP/2.0" - - 400 154 0.020 "-" "-" - - -
```
Client request has the following different flows:
cross cluster request: ① --> ② --> ④
same cluster request: ③ --> ④
What should I do? Can any one give me some hint?
I have some thoughts:
Thought One: do not use https when proxying grpc. but how to config?
Thought Two: trust cert of upsteram(it's APISIX2 here) but how?
### Environment
* apisix version (cmd: `apisix version`): 1.4
* OS: docker, centos 7
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] membphis commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657977695
`grpc` or `grpcs` is very different for `route.value.service_protocol`. I think it is fine.
we can not change the `protocol` dynamically in Nginx. we have to use the different `location` for this case.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657953542
> @houshunwei we can support the `grpcs` in this way:
>
> https://github.com/apache/incubator-apisix/blob/master/apisix/init.lua#L280
>
> we can take a look at this PR: #410
It's not good to extend `route.value.service_protocol` enum. Because `Route` is more like 'Traffic Income' and `Upstream` is more like 'Traffic Out' 。 So if proxying to grpcs, it's better to use plugins or upstream?
above is what i confused about.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] membphis commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657577736
welcome PR ^_^
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei edited a comment on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei edited a comment on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657432792
I have resolved this problem:
First Try: extend proxy-rewrite(add grpc and grpcs scheme) and change apisix bin file:
```
location @grpc_pass {
set $upstream_scheme 'grpc';
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass $upstream_scheme://apisix_backend;
...
```
Problem: `grpc_pass` is different form `proxy_pass`, it cannot accept variable( which you defined by `set`).
Result: `Failed`.
Second Try:add other block in apisix bin file. and change jugement in init.lua
```
location @grpc_pass_ssl {
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass grpcs://apisix_backend;
...
```
Result: It works!
I will close this issue now.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei commented on issue #1833: request help: how can apisix trust cert of upstream (like insecure request to upstream).
Posted by GitBox <gi...@apache.org>.
houshunwei commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657352851
I found this:`proxy_ssl_verify off`. I am testing it now.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei edited a comment on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei edited a comment on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657432792
I have resolved this problem:
First Try: extend proxy-rewrite(add grpc and grpcs scheme) and change apisix bin file:
```
location @grpc_pass {
set $upstream_scheme 'grpc';
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass $upstream_scheme://apisix_backend;
...
```
Problem: `grpc_pass` is different form `proxy_pass`, it cannot accept variable( which you defined by `set`).
Result: `Failed`.
Second Try:add other block in apisix bin file. and change judgement in init.lua
```
location @grpc_pass_ssl {
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass grpcs://apisix_backend;
...
```
Result: It works!
I will close this issue now.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei commented on issue #1833: request help: how can apisix trust cert of upstream (like insecure request to upstream).
Posted by GitBox <gi...@apache.org>.
houshunwei commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657375551
actually,it's because following in apisix bin file:
```
grpc_pass grpc://apisix_backend;
```
@membphis , do you has any hint to change so i can support `grpc://` and `grpcs://` according to route setting?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei edited a comment on issue #1833: request help: how can apisix trust cert of upstream (like insecure request to upstream).
Posted by GitBox <gi...@apache.org>.
houshunwei edited a comment on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657352851
I found this:`proxy_ssl_verify off`. I am testing it now.
---- I added it into `location @grpc_pass ` of apisix bin file. but it does not work.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657934073
> welcome PR ^_^
The problem is: I use a tricky judgement in init.lua, which is not common.
Do you have any hint? Should I add a field to upstream to label it is grpcs?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei closed issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei closed issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] membphis commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657943318
@houshunwei we can support the `grpcs` in this way:
https://github.com/apache/incubator-apisix/blob/master/apisix/init.lua#L280
we can take a look at this PR: https://github.com/apache/incubator-apisix/pull/410
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-apisix] houshunwei commented on issue #1833: request help: how to proxy grpc to grpcs.
Posted by GitBox <gi...@apache.org>.
houshunwei commented on issue #1833:
URL: https://github.com/apache/incubator-apisix/issues/1833#issuecomment-657432792
I have resolve this problem:
First Try: extend proxy-rewrite(add grpc and grpcs scheme) and change apisix bin file:
```
location @grpc_pass {
set $upstream_scheme 'grpc';
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass $upstream_scheme://apisix_backend;
...
```
Problem: `grpc_pass` is different form `proxy_pass`, it cannot accept variable( which you defined by `set`).
Result: `Failed`.
Second Try:add other block in apisix bin file. and change jugement in init.lua
```
location @grpc_pass_ssl {
access_by_lua_block {
apisix.grpc_access_phase()
}
grpc_set_header Content-Type application/grpc;
grpc_socket_keepalive on;
grpc_pass grpcs://apisix_backend;
...
```
Result: It works!
I will close this issue now.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org