Shulou(Shulou.com)06/02 Report--

Nginx 1.13.10 added native support for gRPC. This article describes how to configure gRPC for Nginx.

Install Nginx

Nginx version requirements: 1.13.10.

GRPC must use HTTP/2 to transmit data, support plaintext and TLS encrypted data, and support the interaction of streaming data. This is to take full advantage of the multiplexing and streaming characteristics of HTTP/2 connections. So you need to install http/2 when you install and deploy nginx. When installing with source code, you need to add http_ssl and http_v2 modules when compiling:

$auto/configure-with-http_ssl_module-with-http_v2_module

Nginx publishes gRPC services in clear text.

Nginx is the use of a http server to listen for gRPC requests.

Example:

Http {server {listen 80 http2; access_log logs/access.log main; location / {# The 'grpc://' prefix is optional; unencrypted gRPC is the default grpc_pass grpc://localhost:50051;}

The directive grpc_pass is used to specify the gRPC server address of the agent. There are two prefix protocols:

Grpc://: interacts with gRPC server in clear text, grpcs://: interacts with gRPC server in TLS encryption.

The prefix "grpc://" of the gRPC server address is negligible, and the default is plaintext interaction.

In this example, nginx publishes gRPC in clear text on port 80, and the gRPC of the agent also interacts with each other in clear text on the backend.

Note: Nginx does not support both http1 and http2 on plaintext ports. If you want to support these two http protocols, you need to set them to different ports.

Nginx exposes gRPC services in TLS encryption

The recommended use of Nginx in the build environment is to publish the gRPC in an encrypted manner. This scenario requires the addition of an encryption layer to the Nginx.

Self-signed certificates can be used in the development / test environment, and you can refer to this concise tutorial for self-signed certificates.

Example configuration:

Server {listen 1443 ssl http2; ssl_certificate ssl/cert.pem; ssl_certificate_key ssl/key.pem; location / {grpc_pass grpc://localhost:50051;}}

In the example, the external ssl is added to the gRPC service in the nginx layer, while the internal proxy to the gRPC server is still interactive in clear text.

GRPC clients also require TLS encryption. If you are using an untrusted certificate such as a self-signed certificate, the client needs to disable certificate checking. When deploying to a production environment, you need to replace the self-signed certificate with a certificate issued by a trusted certificate authority, and the client needs to be configured to trust the certificate.

Proxy encrypted gRPC

If the gRPC of the Nginx internal agent also needs to interact in an encrypted manner, the plaintext proxy protocol grpc:// needs to be replaced with grpcs://. The first step is that the gRPC server publishes the service in an encrypted manner.

The nginx layer is modified as follows:

Grpc_pass grpcs://localhost:50051

Nginx routes gRPC requests

If the back end has multiple gRPC servers, each server provides a different gRPC service. In this case, a nginx can be used to receive client requests and then route to the specified gRPC server according to different paths. Use location to distinguish:

Location / helloworld.Greeter {grpc_pass grpc://192.168.20.11:50051;} location / helloworld.Dispatcher {grpc_pass grpc://192.168.20.21:50052;} location / {root html; index index.html index.htm;}

Load balancing for gRPC requests

There are multiple gRPC servers in the backend, all of which are the same gRPC service. In this case, the upstream of nginx can be used to load balance the requests of gRPC.

Upstream grpcservers {server 192.168.20.21 error502grpc 50051; server 192.168.20.22 server 50052;} server {listen 1443 ssl http2; ssl_certificate ssl/certificate.pem; ssl_certificate_key ssl/key.pem; location / helloworld.Greeter {grpc_pass grpc://grpcservers; error_page 502 = / error502grpc;} location = / error502grpc {internal; default_type application/grpc; add_header grpc-status 14; add_header grpc-message "unavailable"; return 204;}}

Where upstream specifies the server group that defines the Unified gRPC service. The gRPC server address specified by grpc_pass uses the server group defined by upstream.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.