无法在新的 AWS gRPC ELB 上建立不安全的 gRPC 连接
[英]Unable to Establish Insecure gRPC connection on the New AWS gRPC ELB
问题描述
AWS ALB has the new support for gRPC load balancing as per this Link
根据此链接,AWS ALB 具有对 gRPC 负载平衡的新支持
All the explanation indicates using an ssl connection between the client & the server.所有的解释都表明在客户端和服务器之间使用 ssl 连接。 Now, this might be required if client is browser, but in the case of Internal ALB & Intra service communication, I would not like to have secure connection.现在,如果客户端是浏览器,这可能是必需的,但在内部 ALB 和内部服务通信的情况下,我不希望有安全连接。
Is this possible/ Has anyone got more info on how to load balance without ssl?这可能吗/有没有人得到更多关于如何在没有 ssl 的情况下进行负载平衡的信息?
What I understand: Pick your domain name, generate a certificate.我的理解是:选择您的域名,生成证书。 Add Alias for this in Route 53 (same domain name) & use the certificates in client & server for intra-servie communication in Internal ELB.在 Route 53(相同域名)中为此添加别名,并使用客户端和服务器中的证书在内部 ELB 中进行内部服务通信。
Is this the only way possible?这是唯一可能的方法吗? I have to also manage this certificate.我还必须管理此证书。
2 个解决方案
解决方案1
0 2020-12-29 03:16:18
Bump?撞? What configuration require for ALB supports TLS termination for GRPC requests. ALB 的配置要求支持 GRPC 请求的 TLS 终止。 I'd prefer to avoid the encryption overhead behind the firewall/ALB.我宁愿避免防火墙/ALB 背后的加密开销。
Bloom RPC produces this exception: Bloom RPC 产生这个异常:
{ "error": "14 UNAVAILABLE: failed to connect to all addresses" } { “错误”:“14 不可用:无法连接到所有地址”}
GRPC is failing with this exception: GRPC 因以下异常而失败:
2020-12-29 03:03:33.345 INFO 3719 --- [-worker-ELG-6-1] ignNettyServerTransport.connections: Transport failed Dec 29 03:03:33 ip-172-31-22-196 web: io.netty.handler.codec.http2.Http2Exception: HTTP/2 client preface string missing or corrupt. 2020-12-29 03:03:33.345 INFO 3719 --- [-worker-ELG-6-1] ignNettyServerTransport.connections: Transport failed Dec 29 03:03:33 ip-172-31-22-196 web: io .netty.handler.codec.http2.Http2Exception:HTTP/2 客户端前言字符串丢失或损坏。 Hex dump for received bytes: 16030100ac010000a80303496e418aff3efff4c9244b9ae2接收字节的十六进制转储:16030100ac010000a80303496e418aff3efff4c9244b9ae2
Connection Error io.netty.handler.codec.http2.Http2Exception: HTTP/2 client preface string missing or corrupt. 连接错误 io.netty.handler.codec.http2.Http2Exception:HTTP/2 客户端前言字符串丢失或损坏。 Hex dump for received bytes: 接收字节的十六进制转储:
解决方案2
0 已采纳 2021-01-05 07:03:42
After trying a lot of things, These are my conclusions.在尝试了很多事情之后,这些是我的结论。
- You cannot make insecure gRPC requests to AWS ALB.您不能向 AWS ALB 发出不安全的 gRPC 请求。
- You can make insecure gRPC requests from AWS ALB to Target Groups.您可以从 AWS ALB 向目标组发出不安全的 gRPC 请求。
The steps required:所需步骤:
Server Side: No SSL required.服务器端:不需要 SSL。 You can start Server on insecure channel.您可以在不安全的通道上启动服务器。
Client Side: Ssl is required.客户端:需要 Ssl。 new ClientClass(<Route 53 endpoint which maps to AWS ALB Endpoint>, credentials.createSsl());
Make sure, Certificates on AWS ALB matches the Route 53 alias endpoint of aws alb.确保 AWS ALB 上的证书与 aws alb 的 Route 53 别名端点匹配。
Conclusion: Client make requests to ALB, via the certificate issued by ALB to client.结论:客户端向ALB发出请求,通过ALB颁发给客户端的证书。 ALB makes insecure requests to TG (forwarding to server listening on insecure channel ) You can also make ALB to TG requests as secure, this would server side SSL changes ALB 向 TG 发出不安全请求(转发到在不安全通道上侦听的服务器)您还可以使 ALB 向 TG 请求安全,这将服务器端 SSL 更改
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.