-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ServeHTTP doesn't work without TLS #555
Comments
Non-TLS case needs some cmux type of connection dispatching solution we designed but not implemented. But in general, if your system allows insecure connections, I do not see the reason you need to stick to a single port shared by http2 and grpc. You can have a grpc server and http server listening on 2 different ports in this case. |
At the very least, this is a documentation issue.
|
@iamqizhao can you reopen this please? It is actually possible to make this work with some hacks cockroachdb/cockroach@c036c15#diff-4bf1ae5b9eb22814a15582886403053f, however Go 1.6 contains a change that rejects insecure gRPC connections before they even get to the handler golang/go@6e11f45, which breaks this again. cc @bradfitz |
Please provide your use case to justify why your system cannot use 2 ports in the insecure case if you think we should pursue this further. It is not that hard to implement cmux in grpc but we want to focus on the real demands given the limited resource from our side. I think insecure port sharing is a really rare case and not needed by >99% grpc users right now. |
OK, but is closing the issue really appropriate? You don't have to fix it On Wed, Feb 17, 2016 at 8:37 PM, Qi Zhao notifications@github.com wrote:
|
We could use the Github Milestone feature to track prioritization. And/or Labels. |
To be clear, I was not saying the use case is illegitimate (I was actually saying we even have a designdoc for that). :) I am trying to clean up and organize (milestones and labels, etc.) all the issues in the repo for GA. I'll see what the best way is to deal with this kind of issues. Reopen this for now. |
I just came by to say that don't believe insecure port sharing to be rare. It is very convenient to setup grpc (& other http services) on insecure ports during development, and it is also convenient to reduce the number of ports in order to simplify firewalls and avoid port conflicts. I had been in the process of trying to consolidate ports for a project when I came across this issue. |
What about |
I also do want to have gRPC and REST APIs on the same port. It is possible with TLS (see link in the previous comment), but not without it. And local developing with self-signed certificates is still cumbersome. |
Cross-reference to implement a workaround with cmux: |
As described in grpc/grpc-go#555, it is not possible to run gRPC without security when using net/http and serveHTTP. This creates a problem if you want to run lora-app-server behind a proxy which terminates TLS. This problem is solved by adding three new options: GRPC_BIND, GRPC_TLS_CERT and GRPC_TLS_LEY. When GRPC_BIND is set, the gRPC service will bind to this ip:port instead of HTTP_BIND which makes it possible to leave HTTP_TLS_CERT and HTTP_TLS_KEY unset. GRPC_TLS_CERT and GRPC_TLS_KEY are optional and will only be used if GRPC_BIND is set.
As described in grpc/grpc-go#555, it is not possible to run gRPC without security when using net/http and serveHTTP. This creates a problem if you want to run lora-app-server behind a proxy which terminates TLS. This problem is solved by adding three new options: GRPC_BIND, GRPC_TLS_CERT and GRPC_TLS_KEY. When GRPC_BIND is set, the gRPC service will bind to this ip:port instead of HTTP_BIND which makes it possible to leave HTTP_TLS_CERT and HTTP_TLS_KEY unset. GRPC_TLS_CERT and GRPC_TLS_KEY are optional and will only be used if GRPC_BIND is set.
As described in grpc/grpc-go#555, it is not possible to run gRPC without security when using net/http and serveHTTP. This creates a problem if you want to run lora-app-server behind a proxy which terminates TLS. This problem is solved by adding three new options: GRPC_BIND, GRPC_TLS_CERT and GRPC_TLS_KEY. When GRPC_BIND is set, the gRPC service will bind to this ip:port instead of HTTP_BIND which makes it possible to leave HTTP_TLS_CERT and HTTP_TLS_KEY unset. GRPC_TLS_CERT and GRPC_TLS_KEY are optional and will only be used if GRPC_BIND is set.
Sorry for the little self-promotion, but I've written a comprehensive article about this issue, in particular about the issues with ServeHTTP() for the purpose of multiplexing to the grpc-gateway. I also discuss some alternatives... I struggled with the details of this issue and think others may not need to. Why choose between gRPC and REST? |
@peter-edge did you say you were able to accomplish this? Is there anything you could share about it? |
Also: golang/go#14141 |
I was, but it's in internal code, I have to figure out how to share it. It's not a secret, just need to go through my notes. |
I finally figured this one out. You can wrap your handler function in the h2c helper if you want to disable TLS
|
Given @snowzach's solution and h2c being implemented in net/http, this can be closed afaict. |
In case someone is interested I came up with a solution to share ports for gRPC and a HTTP server without TLS and by avoiding the use of gRPC
Hope you found it useful! |
This is somewhat obvious, knowing that Go's http2 doesn't work without TLS.
Still, it can be surprising given that grpc exposes
grpc.WithInsecure()
. The errors returned in this case are also really not helpful.This is a pain point for us in CockroachDB, where we want to allow folks to operate the database without provisioning certificates.
The text was updated successfully, but these errors were encountered: