How to configure haproxy-ingress for serving GRPC - kubernetes

Has anyone successful in configuring Haproxy ingress controller for serving a GRPC server in the backend
GRPC Client ----> Ingress----> GRPC Server (k8s Service) --> GRPC Server( Pod)
I tried configuring as per the documentation here (https://www.haproxy.com/blog/haproxy-1-9-2-adds-grpc-support/ and https://haproxy-ingress.github.io/docs/configuration/keys/#backend-protocol)
It is not working as expected. Wanted to check if I have missed some configuration here

gRPC works on top of h2 and, for compatibility reasons, client and server need to agree about the http protocol version they want to speak. In haproxy this is done using alpn keyword in the bind line, which only works on TLS connections. By default HAProxy Ingress configures alpn with h2,http1.1, allowing h2 and gRPC out of the box in the client side - but only on https connections.
If you're using plain http, client and server doesn't have a way to agree about a protocol, and the default version used is http1. You can overwrite this behavior configuring bind-http with :80 proto h2 but this should break http1 clients.

Related

Kubernetes: communicate internal services using HTTPS

I have 2 services deployed in Kubernetes
Application A (asp.net core 5 gRPC service)
Application B (asp.net core 5 api)
Application B is accessible via ingress-nginx-controller over https from out side of my cluster.
Application A is expose via Service and only accessible inside my cluster.
My question is how can I connect from Application B to Application A over SSL/TLS?
For HTTPS communication, you can setup certificate with "dotnet dev-certs https". Each pod will need setup self-signed certificate on port 443, for development purpose, but not recommended.
However, GRPC actually can be use with HTTP based, with service mesh support for http2/grpc for service-to-service communication. These steps can be
Call GRPC use HTTP
https://learn.microsoft.com/en-us/aspnet/core/grpc/troubleshoot?view=aspnetcore-3.0#call-insecure-grpc-services-with-net-core-client-2
Setup Linkerd
https://techcommunity.microsoft.com/t5/azure-developer-community-blog/meshing-with-linkerd2-using-grpc-enabled-net-core-services/ba-p/1377867
Hope this helps

AWS API Gateway HTTP Proxy for HTTPS connections

I cannot for the life of me get the AWS API Gateway HTTP Proxy to work, i.e. redirect http://<my-domain>.com to https://<my-domain>.com. Here is how I set it up:
Using the Test functionality on the ANY method inside the resource works. But if I simply do curl http://<my-domain>.com or run http://<my-domain>.com in Chrome, it fails to connect; https://<my-website>.com works just fine. I'm driving myself crazy trying to figure out what I'm missing here; it seems like it should just redirect http://<my-domain>.com to https://<my-domain>.com, but it doesn't (even on different devices).
So, it turns out that API Gateway's HTTP Proxy allows HTTPS traffic to go to an HTTP endpoint, but not the reverse. In fact, API Gateway won't even establish a connection on port 80; from the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS
endpoints only. Amazon API Gateway does not support unencrypted (HTTP)
endpoints.
API Gateway doesn't support unencrypted HTTP traffic. Here are the possible options you can do to secure your website:
If you have access to the server that hosts the website, install an SSL certificate to the webserver.
If the website is hosted on EC2, you can set up a load balancer and let it do the SSL termination.

how can i use wso2 behind haproxy

i use dockerized wso2 https://github.com/wso2/docker-apim.
i want use api manager behind haproxy.
my config is:
frontend app
bind *:443 ssl crt /etc/ssl/wso2.pem
default_backend wso2
backend wso2
server node1 api-manager:9443 check ssl verify none
but after config it when open https://127.0.0.1/ in browser, it redirects to https://127.0.0.1:9443/publisher/.
how can i fix it ?
You can set the proxy ports in catalina-server.xml in repository/conf/tomcat location [1]. For 9443 port you can set the port 443 and restart the server.
[1] - https://docs.wso2.com/display/Carbon440/Adding+a+Custom+Proxy+Path

How to remove host header

I want to remove Host header at ingress controller before sending the request to backend service. Will appreciate your insight.
My backend service is NOT expecting any Host header.
Thank you !
Google Cloud Platform is working on richer routing and transforms with HTTP(s) Load Balancer, used by Kubernetes Engine Ingress. No ETA is available.
In the meantime, you can use a proxy service in front of the application. See this answer on how to remove a header with nginx.

Intercept all outgoing connections made by a process to redirect it to a localhost proxy

I am working in an environment where there are multiple services hosted. A service(consider web services) exposes some APIs and also acts as client to call other services too.
Now what I want to achieve is that if Service A (acting as client) wants to talk to Service B(acting as server here) using http , then I want to intercept outgoing HTTP request and redirect it to localhost proxy.
There are multiple services running on a host and a service also talks to multiple other services, so I don't want to change the configuration of every outgoing endpoint configuration to point to proxy.
Sample configurations:
Following are the services endpoint which service A connects while doing some processing like:
a1.example.com:2430
a2.example.com:8280
a3.example.com:4380
a4.example.com:4280
a5.example.com:3158
a6.example.com:8238
I have looked into configuring squid proxy as transparent proxy. But how should I enforce every outgoing connection (with different destination ports ) to redirect to localhost proxy.