request help: how to proxy grpc to grpcs.

[houshunwei]

Issue description

I use Apisix as multi-cluster ingress as following picture shows. But I cannot go through ②，because apisix uses http to request upsterams by default。 Even I use proxy-rewrite plugins to force use https, it has the same error log in APISIX2 Cluster:

172.20.56.141 - - [13/Jul/2020:11:02:36 +0800] - "PRI * HTTP/2.0" - - 400 154 0.020 "-" "-" - - -

Client request has the following different flows:
cross cluster request: ① --> ② --> ④
same cluster request: ③ --> ④

What should I do? Can any one give me some hint？

I have some thoughts:
Thought One： do not use https when proxying grpc. but how to config?
Thought Two： trust cert of upsteram(it's APISIX2 here) but how?

Environment

• apisix version (cmd: apisix version): 1.4
• OS: docker， centos 7

[houshunwei]

I found this：proxy_ssl_verify off. I am testing it now.
---- I added it into location @grpc_pass of apisix bin file. but it does not work.

[houshunwei]

actually，it's because following in apisix bin file:

grpc_pass         grpc://apisix_backend;

@membphis , do you has any hint to change so i can support grpc:// and grpcs:// according to route setting?

[houshunwei]

I have resolved this problem:

First Try: extend proxy-rewrite(add grpc and grpcs scheme) and change apisix bin file:

location @grpc_pass {
            set $upstream_scheme             'grpc';
            access_by_lua_block {
                apisix.grpc_access_phase()
            }

            grpc_set_header   Content-Type application/grpc;
            grpc_socket_keepalive on;
            grpc_pass         $upstream_scheme://apisix_backend;
...

Problem: grpc_pass is different form proxy_pass, it cannot accept variable( which you defined by set).
Result: Failed.

Second Try：add other block in apisix bin file. and change judgement in init.lua

location @grpc_pass_ssl {
            access_by_lua_block {
                apisix.grpc_access_phase()
            }

            grpc_set_header   Content-Type application/grpc;
            grpc_socket_keepalive on;
            grpc_pass         grpcs://apisix_backend;
...

Result: It works!

I will close this issue now.

[membphis]

welcome PR ^_^

[houshunwei]

welcome PR ^_^

The problem is: I use a tricky judgement in init.lua, which is not common.

Do you have any hint? Should I add a field to upstream to label it is grpcs?

[membphis]

@houshunwei we can support the grpcs in this way:

https://github.com/apache/incubator-apisix/blob/master/apisix/init.lua#L280

we can take a look at this PR: #410

[houshunwei]

@houshunwei we can support the grpcs in this way:

https://github.com/apache/incubator-apisix/blob/master/apisix/init.lua#L280

we can take a look at this PR: #410

It's not good to extend route.value.service_protocol enum. Because Route is more like 'Traffic Income' and Upstream is more like 'Traffic Out' 。 So if proxying to grpcs, it's better to use plugins or upstream?

above is what i confused about.

[membphis]

grpc or grpcs is very different for route.value.service_protocol. I think it is fine.

we can not change the protocol dynamically in Nginx. we have to use the different location for this case.

[spacewander]

Surpassed by #3344.