-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gRPC upstream with TLS doens't work #9665
Comments
@lizan , @PiotrSikora , @htuch could you help? Thanks |
@qiwzhang it looks that TLS and HTTP/2 connections are established correctly, but then Envoy sends |
@PiotrSikora will a tcpdump help? I can capture a tcpdump for you |
No, tcpdump output will be encrypted. Do you have logs from the Cloud Run instance? |
no much log from the instance. It did not show anything from the cloud run instance. |
If a grpc call bypassing envoy proxy, it will have a success log entry in the instance. A grpc request with the proxy doesn't show anything in the instance log. |
Here is trace log with more nghttp2 log entries:
|
Is indicating a protocol error:
It's not clear from the logs what the issue is. Note that we have had issues in the past with gRPC's HTTP/2 implementation not being spec compliant. |
@mattklein123 the second log has more nghttp2 traces. It may provide more insights |
I looked at the 2nd log. I don't see anything in there that identifies why nghttp2 is deciding there is a protocol error unfortunately. |
Update. Here is the data dump received from Cloud Run after sending Http2 header. === 400. That�s an error. Your client has issued a malformed or illegal request. That�s all we know. Cloud Run doesn't like the Http2 headers or gRPC headers Envoy is sending. |
some thoughts: 1, gRPC should be HTTP/2, not HTTP/1 |
You're missing |
@PiotrSikora Thanks. After add "alpn_protocols: h2", it works. |
Title: gRPC upstream with TLS doens't work
Description:
I tried to setup Envoy proxy to talk to gRPC service deployed in Google Cloud Run, it did not work.
Repro steps:
Config:
Logs:
The log with "trace" level
Additional info:
gRPC language: both grpc client and server are using c++.
gRPC log:
For the failed request, there is not log in the grpc server, it seems that the request did not reach grpc server, it fails in the TLS negotiation between Envoy upstream and Cloud Run.
The text was updated successfully, but these errors were encountered: