如何使用 TLS & HTTP/2 与 Envoy 代理
How to use TLS & HTTP/2 with Envoy Proxy
我正在尝试在我的 Typescript React 应用程序前面使用 envoy,以便从客户端到服务器使用 gRPC。此特使代理位于 Kubernetes 集群中的 Docker 容器内。
我的 API 网关代理是一个 NGINX 代理,它执行速率限制、过滤器、与我的 Auth 服务的身份验证通信等。我需要在 NGINX 网关和它代理的 gRPC 服务器上启用 TLS。
错误日志如下所示:
[api-frontend-proxy] [2021-01-06 17:53:41.897][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:215] [C0] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
我的 envoy.yaml 如下所示:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 9090
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: api-gateway-proxy
cors:
allow_origin_string_match:
- prefix: "*"
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.router
typed_config: {}
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "./etc/ssl/server.crt"
private_key:
filename: "./etc/ssl/server.key"
# validation_context:
# trusted_ca:
# filename: "/etc/ca-crt.pem"
require_client_certificate: false
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
此外,如果这有帮助,我的 NGINX 配置也在这里:
worker_processes auto;
events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 1449 ssl http2;
ssl_certificate ./ssl/server.crt;
ssl_certificate_key ./ssl/server.key;
location /com.webapp.grpc-service {
grpc_pass grpcs://api-grpc-service:9090;
proxy_buffer_size 512k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 512k;
grpc_set_header Upgrade $http_upgrade;
grpc_set_header Connection "Upgrade";
grpc_set_header Connection keep-alive;
grpc_set_header Host $host:$server_port;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
}
}
提前感谢大家,如果有任何意见、帮助或解决方案,我将不胜感激!
您需要在上游集群下添加 transport_socket 部分:
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
我正在尝试在我的 Typescript React 应用程序前面使用 envoy,以便从客户端到服务器使用 gRPC。此特使代理位于 Kubernetes 集群中的 Docker 容器内。
我的 API 网关代理是一个 NGINX 代理,它执行速率限制、过滤器、与我的 Auth 服务的身份验证通信等。我需要在 NGINX 网关和它代理的 gRPC 服务器上启用 TLS。
错误日志如下所示:
[api-frontend-proxy] [2021-01-06 17:53:41.897][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:215] [C0] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
我的 envoy.yaml 如下所示:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 9090
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: api-gateway-proxy
cors:
allow_origin_string_match:
- prefix: "*"
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.router
typed_config: {}
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "./etc/ssl/server.crt"
private_key:
filename: "./etc/ssl/server.key"
# validation_context:
# trusted_ca:
# filename: "/etc/ca-crt.pem"
require_client_certificate: false
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
此外,如果这有帮助,我的 NGINX 配置也在这里:
worker_processes auto;
events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 1449 ssl http2;
ssl_certificate ./ssl/server.crt;
ssl_certificate_key ./ssl/server.key;
location /com.webapp.grpc-service {
grpc_pass grpcs://api-grpc-service:9090;
proxy_buffer_size 512k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 512k;
grpc_set_header Upgrade $http_upgrade;
grpc_set_header Connection "Upgrade";
grpc_set_header Connection keep-alive;
grpc_set_header Host $host:$server_port;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
}
}
提前感谢大家,如果有任何意见、帮助或解决方案,我将不胜感激!
您需要在上游集群下添加 transport_socket 部分:
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext