使用Nginx终止grpc流量
[英]Terminate grpc traffic with nginx
问题描述
This recent blogpost says that nginx is able to terminate http/2 and grpc traffic. 
最近的博客文章说,nginx能够终止 http / 2 和 grpc流量。
From all the illustrations and the text, it does not look like it can terminate grpc traffic at all, just proxy, forward and route the traffic. 从所有插图和文字来看,它似乎根本无法终止grpc流量,而只是代理,转发和路由流量。
Reason is, I want to offer simple services through nginx with PHP. 原因是,我想通过Nginx和PHP提供简单的服务。 I know PHP itself has the ability to implement http/2 and grpc but this is kinda "manual", there is nothing ready to use out of the box. 我知道PHP本身具有实现http / 2和grpc的能力,但这有点“手册”,没有现成的准备好使用。 If we can use nginx for the termination, it would probably work easily. 如果我们可以使用nginx进行终止,则它可能会很容易工作。
Another thing I dont' understand from the same blogpost: 从同一博客文章中我不明白的另一件事:
Note: NGINX does not support HTTP/1 and HTTP/2 at the same time on a cleartext (non-TLS) port.
When both are cleartext, the protocol to be used actually is known up front (because it's cleartext) and we could listen for both on the same port. 当两者都是明文时,实际上要预先知道要使用的协议(因为它是明文),因此我们可以在同一端口上侦听两者。 Two different ports only make sense to me, when either of the protocols is not cleartext. 当两个协议都不是明文时,只有两个不同的端口对我有意义。
Can someone clear these two points for me? 有人可以帮我清除这两点吗?
1 个解决方案
解决方案1
0 已采纳 2018-04-10 18:08:20
To me it means "terminate" in the sense of being able to act as the end point for the user from outside the system. 对我来说,它意味着“终止”,它可以充当系统外部用户的终点。 In the same way as you often "terminate" HTTPS at the edge point (eg Nginx) but then pass on unencrypted HTTP traffic to a downstream server. 就像您通常在边缘点“终止” HTTPS(例如Nginx)一样,然后将未加密的HTTP通信传递给下游服务器。
So you still need a separate server which understands how to handle gRPC and this needs to be available on a port for nginx to communicate with it using grpc_pass . 因此,您仍然需要一个单独的服务器,该服务器了解如何处理gRPC,并且需要在端口上可用,以便nginx使用grpc_pass通信。
From the PHP examples at the gRPC website it seems to only use PHP as a client side gRPC application rather than the server side: 从gRPC网站上的PHP示例中 ,似乎仅将PHP用作客户端gRPC应用程序,而不是服务器端:
Note that currently you can only create clients in PHP for gRPC services - you can find out how to create gRPC servers in our other tutorials, eg Node.js.
So you need server side gRPC server (eg Node.js) to answer your gRPC calls - and that cannot just be nginx, though nginx can be used to route the gRPC calls to that gRPC server. 因此,您需要服务器端gRPC服务器(例如Node.js)来应答gRPC调用-尽管nginx可用于将gRPC调用路由到该gRPC服务器,但它不能只是nginx。 There are various reasons to have a webserver like nginx in front of a backend application server including: SSL/TLS offloading, static content handling, load balancing...etc. 在后端应用程序服务器前安装nginx之类的Web服务器的原因有多种,其中包括:SSL / TLS卸载,静态内容处理,负载平衡...等。
When both are cleartext, the protocol to be used actually is known up front (because it's cleartext) and we could listen for both on the same port.
That is not as easy as you think. 那并不像您想的那么容易。 Parsing messages to see if they are one protocol or another is actually quite complex - especially given that HTTP/1 is textual, HTTP/2 is binary and gRPC only uses HTTP/2 as the transport layer and doesn't even use HTTP semantics underneath this. 解析消息以查看它们是一个还是另一个协议实际上是非常复杂的-特别是考虑到HTTP / 1是文本的,HTTP / 2是二进制的,并且gRPC仅使用HTTP / 2作为传输层,甚至不使用下面的HTTP语义这个。
Typically there are three ways for a HTTP server to know if it's HTTP/2 or not: 通常,HTTP服务器可以通过三种方式知道它是否为HTTP / 2:
- Use plaintext HTTP initially and then upgrading it to HTTP/2. 最初使用纯文本HTTP,然后将其升级到HTTP / 2。
- Use encrypted HTTPS where it is negotiated using ALPN (or the older NPN) as part of the TLS setup before the first HTTP message is sent. 在发送第一条HTTP消息之前,使用加密的HTTPS作为TLS设置的一部分使用ALPN(或更旧的NPN)进行协商。
- Use plaintext HTTP but assume it's a HTTP/2 connection (due to some previous prior knowledge about the service on that port) and so just start talking HTTP/2. 使用纯文本HTTP,但假定它是HTTP / 2连接(由于先前对该端口上的服务已有一些了解 ),因此只需开始讲HTTP / 2。
It looks like Nginx does not allow the first upgrade method of converting a plaintext HTTP/1.1 connection to HTTP/2. 它看起来像Nginx的不允许转换明文HTTP / 1.1连接HTTP / 2的第一升级方法。 This means for plain text HTTP it only allows the connection to be immediately used as HTTP/2 ("prior knowledge"). 这意味着对于纯文本HTTP,它仅允许将连接立即用作HTTP / 2(“先验知识”)。 There is a request to allow HTTP/1 and HTTP/2 to be used on the same port for different connections but to be honest I can understand why that has not been completed yet as would consider that low priority, given that the main use case for HTTP/2 at the moment is for browsers (which are HTTPS only) or for services like gRPC which probably should know whether they are HTTP/2 or not. 有一个请求允许将HTTP / 1和HTTP / 2在同一端口上用于不同的连接,但是说实话,我可以理解为什么尚未完成,因为考虑到主要用例,这会导致优先级低目前,HTTP / 2适用于浏览器(仅HTTPS)或gRPC之类的服务,该服务可能应该知道它们是否为HTTP / 2。
Also, as mentioned above, gRPC is not really about HTTP at all - it just uses the binary framing layer of HTTP/2 to send gRPC messages across a flow-controlled, multiplexed connection. 另外,如上所述,gRPC根本不是关于HTTP的-它仅使用HTTP / 2的二进制框架层通过流控制的多路复用连接发送gRPC消息。 This is similar to how Websockets use the HTTP TCP connection to send messages which are not HTTP (though web sockets typically use HTTP semantics to negotiate the web socket connection). 这类似于Websockets使用HTTP TCP连接发送非HTTP消息的方式(尽管Web套接字通常使用HTTP语义来协商Web套接字连接)。
So, as I say, it actually makes sense to me not to complicate the matter and try to guess the protocol when not using HTTPS - it should be known in most cases. 因此,正如我所说,在我不使用HTTPS时不要使问题复杂化并尝试猜测协议实际上是有意义的-在大多数情况下应该知道这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.