You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2021/02/19 01:05:01 UTC
[apisix] branch master updated: feat: support listen http2 with
plaintext (#3547)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 5f4e8df feat: support listen http2 with plaintext (#3547)
5f4e8df is described below
commit 5f4e8df42df25de5d9b6748f18f85550edee8c05
Author: 大可 <hn...@gmail.com>
AuthorDate: Fri Feb 19 09:04:48 2021 +0800
feat: support listen http2 with plaintext (#3547)
---
.travis/linux_openresty_common_runner.sh | 10 +++++++
apisix/cli/ngx_tpl.lua | 8 ++---
apisix/cli/ops.lua | 14 +++++++--
doc/grpc-proxy.md | 27 ++++++++++++++++-
doc/zh-cn/grpc-proxy.md | 28 +++++++++++++++++-
t/core/config-default.t | 50 ++++++++++++++++++++++++++++++++
t/grpc-proxy-test.sh | 4 +++
7 files changed, 133 insertions(+), 8 deletions(-)
diff --git a/.travis/linux_openresty_common_runner.sh b/.travis/linux_openresty_common_runner.sh
index 32d2c3e..4b11db3 100755
--- a/.travis/linux_openresty_common_runner.sh
+++ b/.travis/linux_openresty_common_runner.sh
@@ -106,6 +106,16 @@ script() {
-crt ./t/certs/apisix.crt -key ./t/certs/apisix.key \
&
+ # listen 9081 for http2 with plaintext
+ echo '
+apisix:
+ node_listen:
+ - port: 9080
+ enable_http2: false
+ - port: 9081
+ enable_http2: true
+ ' > conf/config.yaml
+
./bin/apisix help
./bin/apisix init
./bin/apisix init_etcd
diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index 466ae3e..cf0799f 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -362,8 +362,8 @@ http {
{% end %}
server {
- {% for _, port in ipairs(node_listen) do %}
- listen {* port *} {% if enable_reuseport then %} reuseport {% end %};
+ {% for _, item in ipairs(node_listen) do %}
+ listen {* item.port *} {% if enable_reuseport then %} reuseport {% end %} {% if item.enable_http2 then %} http2 {% end %};
{% end %}
{% if ssl.enable then %}
{% for _, port in ipairs(ssl.listen_port) do %}
@@ -378,8 +378,8 @@ http {
{% end %}
{% if enable_ipv6 then %}
- {% for _, port in ipairs(node_listen) do %}
- listen [::]:{* port *} {% if enable_reuseport then %} reuseport {% end %};
+ {% for _, item in ipairs(node_listen) do %}
+ listen [::]:{* item.port *} {% if enable_reuseport then %} reuseport {% end %} {% if item.enable_http2 then %} http2 {% end %};
{% end %}
{% if ssl.enable then %}
{% for _, port in ipairs(ssl.listen_port) do %}
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index 11ae1af..6a206fa 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -238,9 +238,19 @@ Please modify "admin_key" in conf/config.yaml .
util.die("missing apisix.proxy_cache for plugin proxy-cache\n")
end
- --support multiple ports listen, compatible with the original style
+ -- support multiple ports listen, compatible with the original style
if type(yaml_conf.apisix.node_listen) == "number" then
- local node_listen = {yaml_conf.apisix.node_listen}
+ local node_listen = {{port = yaml_conf.apisix.node_listen}}
+ yaml_conf.apisix.node_listen = node_listen
+ elseif type(yaml_conf.apisix.node_listen) == "table" then
+ local node_listen = {}
+ for index, value in ipairs(yaml_conf.apisix.node_listen) do
+ if type(value) == "number" then
+ table_insert(node_listen, index, {port = value})
+ elseif type(value) == "table" then
+ table_insert(node_listen, index, value)
+ end
+ end
yaml_conf.apisix.node_listen = node_listen
end
diff --git a/doc/grpc-proxy.md b/doc/grpc-proxy.md
index ee1d57b..42c8f56 100644
--- a/doc/grpc-proxy.md
+++ b/doc/grpc-proxy.md
@@ -37,6 +37,7 @@ Here's an example, to proxying gRPC service by specified route:
* attention: the `scheme` of the route's upstream must be `grpc` or `grpcs`.
* attention: APISIX use TLS‑encrypted HTTP/2 to expose gRPC service, so need to [config SSL certificate](https.md)
+* attention: APISIX also support to expose gRPC service with plaintext HTTP/2, which does not rely on TLS, usually used to proxy gRPC service in intranet environment
* the grpc server example:[grpc_server_example](https://github.com/iresty/grpc_server_example)
```shell
@@ -54,7 +55,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
-#### testing
+#### testing HTTP/2 with TLS‑encrypted
Invoking the route created before:
@@ -67,6 +68,30 @@ $ grpcurl -insecure -import-path /pathtoprotos -proto helloworld.proto -d '{"n
This means that the proxying is working.
+#### testing HTTP/2 with plaintext
+
+By default, the APISIX only listens to `9443` for TLS‑encrypted HTTP/2. You can support HTTP/2 with plaintext via the `node_listen` section under `apisix` in `conf/config.yaml`:
+
+```yaml
+apisix:
+ node_listen:
+ - port: 9080
+ enable_http2: false
+ - port: 9081
+ enable_http2: true
+```
+
+Invoking the route created before:
+
+```shell
+$ grpcurl -plaintext -import-path /pathtoprotos -proto helloworld.proto -d '{"name":"apisix"}' 127.0.0.1:9081 helloworld.Greeter.SayHello
+{
+ "message": "Hello apisix"
+}
+```
+
+This means that the proxying is working.
+
### gRPCS
If your gRPC service encrypts with TLS by itself (so called `gPRCS`, gPRC + TLS), you need to change the `scheme` to `grpcs`. The example above runs gRPCS service on port 50052, to proxy gRPC request, we need to use the configuration below:
diff --git a/doc/zh-cn/grpc-proxy.md b/doc/zh-cn/grpc-proxy.md
index 85b262f..93b1657 100644
--- a/doc/zh-cn/grpc-proxy.md
+++ b/doc/zh-cn/grpc-proxy.md
@@ -36,6 +36,7 @@
* 注意:这个 Route 对应的 Upstream 的 `scheme` 必须设置为 `grpc` 或者 `grpcs`。
* 注意: APISIX 使用 TLS 加密的 HTTP/2 暴露 gRPC 服务, 所以需要先 [配置 SSL 证书](https.md);
+* 注意: APISIX 也支持通过纯文本的 HTTP/2 暴露 gRPC 服务,这不需要依赖 SSL,通常用于内网环境代理gRPC服务
* 下面例子所代理的 gRPC 服务可供参考:[grpc_server_example](https://github.com/api7/grpc_server_example)。
```shell
@@ -53,7 +54,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
-### 测试
+### 测试 TLS 加密的 HTTP/2
访问上面配置的 Route:
@@ -67,6 +68,31 @@ grpcurl -insecure -import-path /pathtoprotos -proto helloworld.proto \
这表示已成功代理。
+### 测试纯文本的 HTTP/2
+
+默认情况下,APISIX只在 `9443` 端口支持 TLS 加密的 HTTP/2。你也可以支持纯本文的 HTTP/2,只需要修改 `conf/config.yaml` 文件中的 `node_listen` 配置即可。
+
+```yaml
+apisix:
+ node_listen:
+ - port: 9080
+ enable_http2: false
+ - port: 9081
+ enable_http2: true
+```
+
+访问上面配置的 Route:
+
+```shell
+grpcurl -plaintext -import-path /pathtoprotos -proto helloworld.proto \
+ -d '{"name":"apisix"}' 127.0.0.1:9081 helloworld.Greeter.SayHello
+{
+ "message": "Hello apisix"
+}
+```
+
+这表示已成功代理。
+
### gRPCS
如果你的 gRPC 服务使用了自己的 TLS 加密,即所谓的 `gPRCS` (gRPC + TLS),那么需要修改 scheme 为 `grpcs`。继续上面的例子,50052 端口上跑的是 gPRCS 的服务,这时候应该这么配置:
diff --git a/t/core/config-default.t b/t/core/config-default.t
index a03a363..b634e44 100644
--- a/t/core/config-default.t
+++ b/t/core/config-default.t
@@ -91,3 +91,53 @@ apisix:
GET /t
--- response_body
admin_key: null
+
+
+
+=== TEST 5: support listen multiple ports with array
+--- yaml_config
+apisix:
+ node_listen:
+ - 1985
+ - 1986
+--- config
+ location /t {
+ content_by_lua_block {
+ local encode_json = require("toolkit.json").encode
+ local config = require("apisix.core").config.local_conf()
+
+ ngx.say("node_listen: ", encode_json(config.apisix.node_listen))
+ }
+}
+--- request
+GET /t
+--- response_body
+node_listen: [1985,1986]
+--- no_error_log
+[error]
+
+
+
+=== TEST 6: support listen multiple ports with array table
+--- yaml_config
+apisix:
+ node_listen:
+ - port: 1985
+ enable_http2: true
+ - port: 1986
+ enable_http2: true
+--- config
+ location /t {
+ content_by_lua_block {
+ local encode_json = require("toolkit.json").encode
+ local config = require("apisix.core").config.local_conf()
+
+ ngx.say("node_listen: ", encode_json(config.apisix.node_listen))
+ }
+}
+--- request
+GET /t
+--- response_body
+node_listen: [{"enable_http2":true,"port":1985},{"enable_http2":true,"port":1986}]
+--- no_error_log
+[error]
diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh
index 3c7e055..c6e294c 100755
--- a/t/grpc-proxy-test.sh
+++ b/t/grpc-proxy-test.sh
@@ -50,6 +50,10 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1
}
}'
+# test grpc proxy with plaintext
+./build-cache/grpcurl -plaintext -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' 127.0.0.1:9081 helloworld.Greeter.SayHello | grep 'Hello apisix'
+
+# test grpc proxy with ssl
./build-cache/grpcurl -insecure -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' test.com:9443 helloworld.Greeter.SayHello | grep 'Hello apisix'
# the old way