dongzhong8691 2018-11-30 08:30
浏览 368
已采纳

使用Golang在Nginx后面运行的GRPC服务的TLS

I have a flutter app (dart based) and a GoLang server, using GRPC.

I wanted to secure it, so I tried setting up Ngninx with certbot(I'm new at this), but the bot requires a challenge where it connects to the Web service (for the Domain) for an http response, which my service doesn't give. It is possible to run both GRPC and HTTP server on the same port, but I couldn't understand how to setup Nginx for that.

Then I tried setting up TLS for my service itself using autocert but doing that with acme requires the same web service response and without that I have to give manual certificates and skip insecure verify which isn't available in dart for now (only two options available secure and insecure). And testing autocert on local doesn't help either as it doesn't even create local certs (at least for me).

I also read about a DNS challenge which requires a DNS TXT record, but I'm not sure if it'll ask me to put up a new TXT record on every renewal.

Anyway, I'm mostly confused as to how to move forwards with this. I connect with GRPC to actual mobile apps and haven't found many tutorials or questions regarding this anywhere. My GoLang server also interacts with other internal micro-services, so making it TLS supported would also mean redeploying all other services with secure flag enabled.

Any help regarding what I should do to secure my GRPC connection to apps, would be amazing!

Relevant docs:

Apologies if this is a stupid question, but I've been stuck on this for a week.

  • 写回答

1条回答 默认 最新

  • doudou3213 2019-05-06 09:41
    关注

    Just posting what I ended up doing for my setup. Nginx does support GRPC with version 1.3.10+ but requires a lot of manual work and a cron job to auto renew certificates, and it lacked documentation for a how-to.

    I ended up using Traefik instead, I've documented the whole process and why I chose Traefik on a blog post here

    In short, Traefik allowed for a simpler setup and very detailed GRPC documentation to get started. Another plus was it runs inside of a docker itself, so could easily test on my mac for the same version I'd deploy on the servers. It provided auto cert renewal in the box and with a DNS challenge, I could easily verify the domains.

    Sample TOML file for TLS termination at the reverse proxy end, for GRPC and normal REST services, supporting http (for older apps) & https.

    defaultEntryPoints = ["http", "https"]
logLevel = "INFO"
[traefikLog]
[accessLog]
  filePath = "/var/log/access.log"
  format = "json"
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
[api]
[file]
[acme]
email = "admin@example.com"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
  [acme.dnsChallenge]
    provider = "gcloud"
  [[acme.domains]]
    main = "*.example.com"
    sans = ["www.example.com"]
[backends]
  [backends.foo]
    [backends.foo.servers.server1]
    url = "h2c://127.0.0.1:3000"
  [backends.bar]
    [backends.bar.servers.server1]
    url = "http://127.0.0.1:3001"
[frontends]
  [frontends.foo]
  backend = "foo"
    [frontends.foo.routes.server1]
    rule = "Host:foo.example.com"
  passHostHeader = true
  passTLSCert = false
  [frontends.bar]
  backend = "bar"
    [frontends.bar.routes.server1]
    rule = "Host:bar.example.com"
  passHostHeader = true
  passTLSCert = false

    Only issue was figuring out the Google Cloud settings for provider (dnsChallenge), which are quite hard to find and setup if doing for the first time! Read more about configuring traefik with GRPC here

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 Matlab打开默认名称带有/的光谱数据
  • ¥50 easyExcel模板 动态单元格合并列
  • ¥15 res.rows如何取值使用
  • ¥15 在odoo17开发环境中,怎么实现库存管理系统,或独立模块设计与AGV小车对接?开发方面应如何设计和开发?请详细解释MES或WMS在与AGV小车对接时需完成的设计和开发
  • ¥15 CSP算法实现EEG特征提取,哪一步错了?
  • ¥15 游戏盾如何溯源服务器真实ip?需要30个字。后面的字是凑数的
  • ¥15 vue3前端取消收藏的不会引用collectId
  • ¥15 delphi7 HMAC_SHA256方式加密
  • ¥15 关于#qt#的问题:我想实现qcustomplot完成坐标轴
  • ¥15 下列c语言代码为何输出了多余的空格