AWS ALB与GRPC
我正在尝试在AWS ECS(在Fargate上)上使用GRPC API运行NetTy Server,以供Android GRPC客户端连接到应用程序负载平衡器。 呼叫已转发,但服务器日志显示了一个错误,例如
io.grpc.netty.shaded.io.netty.handler.codec.http2.Http2Exception: HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 1603010102010000fe03036a5663244616ee784100b9d61c
我读过在这里这样的错误与客户端和服务器都不使用SSL有关,可以说是在我的情况下是真的。
服务器本身不配置为使用SSL(我不知道要使用哪个证书)。 ALB向客户提供ACM公共证书,我应该期望进行SSL卸载。但是,当协议版本为grpc时,我无法使用另一个协议配置负载平衡目标组的事实。
谁能向我澄清一下或有一个工作例子?
这是我的CFN模板的相关ALB配置:
ApplicationLoadBalancer:
Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"
Properties:
Name: my-alb
Scheme: "internet-facing"
Type: "application"
Subnets:
- !Ref public-sn-1
- !Ref public-sn-2
SecurityGroups:
- !Ref ALBSecurityGroup
IpAddressType: "ipv4"
HubListener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 50051
Protocol: HTTPS
SslPolicy: "ELBSecurityPolicy-2016-08"
Certificates:
- CertificateArn: !Ref AlbCertificateArn
DefaultActions:
- Order: 1
TargetGroupArn: !Ref HubTargetGroup
Type: "forward"
HubTargetGroup:
Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
Properties:
Port: 50051
Protocol: HTTPS
ProtocolVersion: GRPC
HealthCheckEnabled: true
HealthCheckPath: "/grpc.health.v1.Health/Check"
HealthCheckPort: "traffic-port"
HealthCheckProtocol: HTTP
TargetType: ip
Matcher:
GrpcCode: 0
VpcId: !Ref VpcId
I'm trying to run a netty server with GRPC API on AWS ECS (on Fargate) behind an application load balancer for an Android GRPC client to connect to.
Calls are forwarded but the server logs show an error like
io.grpc.netty.shaded.io.netty.handler.codec.http2.Http2Exception: HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 1603010102010000fe03036a5663244616ee784100b9d61c
I've read here that such an error is related to the client and server not both using SSL, which arguably is true in my case.
The server itself is not configured to use SSL (I wouldn't know which certificate to deploy it with).
The ALB provides an ACM public certificate to the client and should do SSL offloading I would expect. However, the fact that I cannot configure the load balancing target group with another protocol than HTTPS when protocol version is GRPC indicates otherwise.
Can anyone clarify this to me or have a working example?
This is the relevant ALB config of my cfn template:
ApplicationLoadBalancer:
Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"
Properties:
Name: my-alb
Scheme: "internet-facing"
Type: "application"
Subnets:
- !Ref public-sn-1
- !Ref public-sn-2
SecurityGroups:
- !Ref ALBSecurityGroup
IpAddressType: "ipv4"
HubListener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 50051
Protocol: HTTPS
SslPolicy: "ELBSecurityPolicy-2016-08"
Certificates:
- CertificateArn: !Ref AlbCertificateArn
DefaultActions:
- Order: 1
TargetGroupArn: !Ref HubTargetGroup
Type: "forward"
HubTargetGroup:
Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
Properties:
Port: 50051
Protocol: HTTPS
ProtocolVersion: GRPC
HealthCheckEnabled: true
HealthCheckPath: "/grpc.health.v1.Health/Check"
HealthCheckPort: "traffic-port"
HealthCheckProtocol: HTTP
TargetType: ip
Matcher:
GrpcCode: 0
VpcId: !Ref VpcId
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
事实证明,目标组只需要切换到协议
http以进行SSL卸载工作即可。我最初认为这将不允许,因为将侦听器转发到GRPC目标组必须使用HTTPS作为协议,但该约束不适用于目标组本身。
Turns out the target group just needs to be switched to protocol
HTTPfor the SSL offloading to work.I had initially assumed that this would not be permitted, since a listener forwarding to a GRPC target group must use HTTPS as protocol but that constraint does not apply to the target group itself.