We help IT Professionals succeed at work.

Grpc reverse proxy

High Priority
104 Views
Last Modified: 2019-12-29
Anyone has handon experience with a grpc reverse proxy ?

The context is anonymising queries to speech.googleapis.com. i have a valid api key, express agreement from google, and a production proxy that handles http queries to the same service. But unfortunately not http2

The future would be a smarter proxy that connects and authenticates against google services and multiplexes client requests to the service. I am also interested in simple client implementations in go. the front protocol might not be grpc in that case, though it would make it simpler.

For now, i played quite unsuccessfully with nginx, haproxy, and a bunch of socats and other tools to decapsulate ssl. Unfortunately i fail to undrstand the authentication mechanism used by google. Any knowlege in that field ?

I am also interested in a working grpc stream decoder

Thanks for your time

Ps : please do not answer with a random tutorial. I already read those, and still struggling.
Comment
Watch Question

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Before you start making this complex, start with https://cloud.google.com/speech-to-text/docs/reference/rest/ first.

In other words, use Google's API first, then start bolting on things like reverse proxy code.

Maybe start by describing what you hope to accomplish by using a reverse proxy... What problem you're trying to solve...
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Haproxy should be able to do h2 ( v1.8+ at least).

From V1.9.2 it should support gRPC as well.
https://www.haproxy.com/blog/haproxy-1-9-2-adds-grpc-support/
CERTIFIED EXPERT

Author

Commented:
@david :

Ps : please do not answer with a random tutorial. I already read those, and still struggling.

The context is anonymising queries to speech.googleapis.com

@noci :

i'm testing with a version that does support grpc. 1.9.9 i recollect.

both those tools work with regular test grpc servers. but google answers with 404 to the first query while the same query is supposed to be working when hitting google directly. which i cannot even check properly. i also hit 400 and 502 but both were apparently due to misconfigurations on my side.

i'm trying to grab the client-side code which i have no access to. i cannot switch to clear text either while debugging.

i guess i'm missing something quite simple that should be obvious with the adequate tools. i was hoping someone had already done the same thing. even knowing that it is indeed supposed to work would help.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
hm. 404 should mean the intended gRPC object does not exist if i read the specs correctly (the HTTP translation of error 5: Not Found...)
I guess you do need to verify this in the source. Or at least test specific RPC calls.

Just a wild idea... would a dedicated proxy for this service help you, a gSpeachProxy so to say,
I mean have your own client/server protocol (could be gRPC)  to the end-users and use the current gRPC client to do the requesting, and have your own dedicated proxy in between. That way there would even be more control over what requests are done and what data gets exposed.
CERTIFIED EXPERT

Author

Commented:
that's what i figure. i cannot seem to get anything but a 400 or a 404. i figure this is related to oauth authentication somehow.  but since i cannot trace what happens on the client side, it is quite complicated to find out what is going on. i can see apparently valid queries with jwt tokens incuded in the headers POSTing to /google.cloud.speech.v1.Speech/StreamingRecognize which should exist.

--

the wild idea is precisely what we plan ( see § that starts with "The future" in the question ;) .... that would allow us to handle the authentication in the proxy, forbid some dangerous methods such as CONNECT issued by the server, help us grab decent accounting that does not rely on magical estimations, multiplex many clients on a pool of google backends...

i guess i can craft something in go or php in a matter of days, but this needs to be production ready REALLY soon and i cannot afford to take the risk. i'm currently working in parallel towards a regular proxy using the CONNECT method which features less but should allow my bosses not to risk going to jail...
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
good luck...
CERTIFIED EXPERT

Author

Commented:
I ended up with the connect regular way. Had to write a connect proxy myself. Sigh. limited software availability on that platform... 2 hours and 250 lines of php code later i got something that struck tinyproxy dead in the ground performance wise ;) ... but has a little garbage collector impact.

That will do for now. Maybe i will compile the php to c++ code using the facebook pseudo compiler...

 I am unsure how to close the question or whether to keep it open... i probably won t have timd to tackle the issue soon if at all. The target script might be written soon enough so i don t need to even bother
CERTIFIED EXPERT

Author

Commented:
Just to close this question, since i am not expecting much progress...

The connect proxy works fine

i also crafted a go client surprisingly easily using a basic tcp protocol on the front end. Which works like a charm. And i believe this is by far the best option.

I know others struggled with traefik unsuccessfully. But i heard reports that traefik can work.

The closest i managed is by reimplementing grpc on both front and back side. Never managed to xfer authentication on one side to the next.



My bosses agreed to forget about a real proxy but they want to send json chunks encapsulated into websockets. There is no way in the world i will ever bother doing something that dumb, and even less i will do it in go.

I bailed out of the project shortly after my last comment and kept the thread open because i thought someone else might come up with something worthy.

Did not happen, will not happen. They are still working on their json and websocket stuff. I give them a 50pct chance to get a working proxy in 2020 and 100pct it will at best use way to much resources for no reason, and most likely never handle the expected load properly.
CERTIFIED EXPERT
Commented:
Oups forgor to close

Explore More ContentExplore courses, solutions, and other research materials related to this topic.