I am trying to use envoy in front of my Typescript React App for using gRPC from client to server. This envoy proxy sits inside a Docker container within a Kubernetes Cluster.
My API Gateway Proxy is an NGINX proxy that does rate-limiting, filters, authentication communication with my Auth Service, and so on. I needed to enable TLS on both the NGINX Gateway, and the gRPC Server it's proxying for.
Here is what the error log looks like:
[api-frontend-proxy] [2021-01-06 17:53:41.897][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:215] [C0] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
My envoy.yaml looks like the following:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 9090
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: api-gateway-proxy
cors:
allow_origin_string_match:
- prefix: "*"
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.router
typed_config: {}
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "./etc/ssl/server.crt"
private_key:
filename: "./etc/ssl/server.key"
# validation_context:
# trusted_ca:
# filename: "/etc/ca-crt.pem"
require_client_certificate: false
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
And also, if this helps, my NGINX Config is here too:
worker_processes auto;
events {}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 1449 ssl http2;
ssl_certificate ./ssl/server.crt;
ssl_certificate_key ./ssl/server.key;
location /com.webapp.grpc-service {
grpc_pass grpcs://api-grpc-service:9090;
proxy_buffer_size 512k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 512k;
grpc_set_header Upgrade $http_upgrade;
grpc_set_header Connection "Upgrade";
grpc_set_header Connection keep-alive;
grpc_set_header Host $host:$server_port;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
}
}
Thanks to everyone in advance andI'd really appreciate any comments, help or solutions!
You need add transport_socket section under upstream cluster as:
clusters:
- name: api-gateway-proxy
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: api-gateway-proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-gateway-proxy
port_value: 1449
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext