Java http/2 proxy to backend gRPC services
2,577 views
Skip to first unread message
Matt Mitchell
Aug 17, 2017, 2:39:19 PM8/17/17
to grpc.io
Hi,
We've been developing gRPC services for our backend. We would like to prevent direct access to these services when in production, by having all clients go through a proxy. We have a custom proxy setup now (based on Jetty) that handles http/1 traffic - it also applies authentication and handles sessions. What we'd like to do, is find a way to do the same thing for our gRPC services.
My initial thought was to somehow develop a simple pass-thru ("dumb") handler for the http/2 (grpc) requests to the backend services. So requests coming into the proxy would be routed to the backend services without any inspection/manipulation of the data. But I'm unsure of how we'd do this really. Is this approach possible?
Another idea was to just import grpc into the proxy, startup a grpc server and use the generated client libs to handle the proxying. But I wouldn't want to do this if it required that we have to manually wire up each request to the specific client class etc.. Is there a way to do this dynamically?
And lastly, we would like to reuse some of the auth handling we have in our http/1 proxy - mainly, JWTs. Are there examples out there of using JWT w/gRPC?
Cheers,
- Matt
Kun Zhang
Aug 17, 2017, 4:58:20 PM8/17/17
to grpc.io
nghttpx is capable of http/2 reverse proxy. It sounds like what you need.
matt.m...@lucidworks.com
Aug 18, 2017, 8:10:31 AM8/18/17
to grpc.io
Hi Kun. That's interesting thanks! Will definitely have a deeper look, but at first glance it looks like a c based lib, and we're looking to have our own Java based proxy adapted to do this, but also implement some of our existing Java features related to JWTs.
Cheers,
- Matt
matt.m...@lucidworks.com
Aug 18, 2017, 8:11:27 AM8/18/17
to grpc.io, matt.m...@lucidworks.com
Having said that though, have you used nghttpx with gRPC before?
Eric Anderson
Aug 18, 2017, 6:10:40 PM8/18/17
to matt.m...@lucidworks.com, grpc.io
On Fri, Aug 18, 2017 at 5:11 AM, <matt.m...@lucidworks.com> wrote:
Having said that though, have you used nghttpx with gRPC before?
nghttpx is the go-to proxy with gRPC. Envoy and Istio are both built on top of it (or at least nghttp2; it's basically the same thing).
Hi Kun. That's interesting thanks! Will definitely have a deeper look, but at first glance it looks like a c based lib, and we're looking to have our own Java based proxy adapted to do this, but also implement some of our existing Java features related to JWTs.
HTTP/2 APIs in Java are still pretty complicated.
If you're wanting Java, then you'd probably want to use grpc-java for the proxying. It's not super simple, but should be easy to maintain. You'd implement your own HandlerRegistry that creates a new ServerMethodDefinition each RPC. You'd want to make a simple Marsheller<byte[]> for the marshaller. And you'd use Channel directly for making RPCs. The ClientCall and ServerCall APIs are pretty symmetric. The only problem is you'll need to remove a few Metadata entries, otherwise you'll see an error (I don't have a list of these; I'd just look at the error and remove it).
I know of someone else who has done this, and they were quite happy with the results. But it did take a little time to come up-to-speed with grpc enough to see how it plugs all together.
matt.m...@lucidworks.com
Aug 22, 2017, 11:35:20 AM8/22/17
to grpc.io, matt.m...@lucidworks.com
Thanks for that info Eric. Do you know of any examples that use the grpc HandlerRegistry / Channel for doing something similar?
- Matt
stuart.w...@gmail.com
Aug 28, 2017, 9:04:30 PM8/28/17
to grpc.io, matt.m...@lucidworks.com
If you are after a Java based proxy Undertow provides a reverse proxy with full HTTP/2 support (and no need to mess around with the boot classpath to get ALPN support).
A simple example is at https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/http2/Http2Server.java
Stuart
Eric Anderson
Aug 31, 2017, 11:13:34 AM8/31/17
to Matt Mitchell, grpc.io
On Tue, Aug 22, 2017 at 8:35 AM, <matt.m...@lucidworks.com> wrote:
Thanks for that info Eric. Do you know of any examples that use the grpc HandlerRegistry / Channel for doing something similar?
I created a branch with an example: https://github.com/ejona86/grpc-java/tree/grpc-proxy . Instructions are in the commit message. The proxy lives in examples/src/main/io/grpc/examples/grpcproxy/ .
It is fairly "complete" in that it handles flow control and arbitrary services. Note that the core proxy doesn't care about request/response type; it's only the registry that cares (and it chooses byte[] to handle anything). You may get into small problems with Metadata passing where some metadata keys need to be cleared out before propagating. It should be easy to workaround, but file a bug if you notice any.
matt.m...@lucidworks.com
Aug 31, 2017, 12:35:49 PM8/31/17
to grpc.io, matt.m...@lucidworks.com, stuart.w...@gmail.com
Thanks Stuart, will definitely have a look at that!
- Matt
matt.m...@lucidworks.com
Aug 31, 2017, 12:36:42 PM8/31/17
to grpc.io, matt.m...@lucidworks.com
Awesome, much appreciated Eric! I'll give this a try.
- Matt
Matt Mitchell
Sep 25, 2017, 9:32:50 PM9/25/17
to grpc.io
Hi Eric, tried out the GrpcProxy today, and it's working great! Will continue to test and move forward on this.
Seems like this would make a nice addition to the grpc-java project.
Cheers,
- Matt
Reply all
Reply to author
Forward
0 new messages