-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GRPC, HTTP 2 does not work #643
Comments
Hi, this is a protocol limitation - you need to configure alpn in order to allow server and client agree about the http version they want to speak, there is no way to do that in plain http without breaking http1 clients. Because of that you need https to properly configure h2 in the client side. You can however do the following trick if you don't have http1 clients: use
The same problem above - you ask haproxy to speak h2 in plain http, no handshake, no alpn involved, maybe this would work if you either:
|
Thanks for the clarification.
Does it mean that we cannot terminate the TLS at Ingress Controller. But each backend service should handle TLS |
We want ssl to be terminated at the ingress controller. If we use https at ningx side then we need to configure certificates in niginx (and lot of other services) So I added http2 to nginx listen at port 80 without configuring certificates at nginx layer
In HA Proxy Ingress controller I added a certificate and keep this configuration - backend as http2 (h2)
Now I am able to connect to nginx with HTTP and HTTPS
So the flow is like this
However, with the GRPC Server this is not working
Error in client on connection
|
No, you can terminate and reencrypt the connection.
Yup, this is a side effect of having both h1 and h2 working in the backend side. You can however use distinct paths or distinct domains to h1 and h2 services and leave this crt/key stuff only in the ingress side.
Double check if you are in fact connecting in the https/tls port, defaults to |
I changed to :443 and I am now getting a connection thanks for the support
Output
|
I could make nginx speak h2 and it worked. Would this work if we use HTTPS in ingress controller and TLS terminated at ingress controller, and nginx only speaks HTTP1.1 |
The only way to mix h1 and h2 connections in the same configuration is using tls and alpn. If you use plain http you need to choose one or another, and both client and server need to choose the same protocol version. Frontend and backend configurations are also unrelated, so what you configure in the frontend does not reflect in what the backend will do and vice versa. |
I used the below configuration (with tls and alpn) and tested with two nginx services, one configured to serve HTTP2 and the other default - HTTP1.1. So is it that , currently it is impossible for haproxy to handle both HTTP1.1 and HTTP2 in the backend
Note I also tried putting h2-ssl. But only HTTP1.1 servers worked in this case. When is this option used ? more detailed output here - https://github.com/alexcpn/alexcpn.github.io/blob/master/html/other/haproxy-grpc.md |
Note that |
What I tried
Environment
Kubernetes cluster v1.7
Let's use Kube proxy and test if all is fine from Server and Client side
All good
However, the client does not work.
That seems fine; as from https://www.haproxy.com/blog/haproxy-1-9-2-adds-grpc-support/
and from https://haproxy-ingress.github.io/docs/configuration/keys/#backend-protocol we need to add the
backend-protocol
partDid that
kubectl -n ingress-controller edit configmap haproxy-ingress
However GRPC client doe not connect
Expected - GRPC client should connect
What am I am configuring wrong or is it a bug ?
Secondary
Also the nginx is also not working with backend as h2.
There is no option to set both as h2,h1 as from the controller logs this is set as an invalid option.
So is it that if we set backend as h2 , HTTP 1.1 servers won't work?
Note that I am using no certificates in the test, all HTTP and insecure connections. ( nginx controller had this restriction of TLS needed for GRPC, but for HAProxy this is not mentioned anywhere as a restriction.
Some more details
The text was updated successfully, but these errors were encountered: