2019-07-01 15:28:04 +02:00
# gRPC Examples
## With HTTP (h2c)
This section explains how to use Traefik as reverse proxy for gRPC application.
### Traefik Configuration
2019-07-15 10:22:03 +02:00
Static configuration:
2019-07-01 15:28:04 +02:00
2019-07-15 10:22:03 +02:00
```yaml tab="File (YAML)"
entryPoints:
web:
address: :80
providers:
file:
2019-12-09 11:48:05 +01:00
directory: /path/to/dynamic/config
2019-07-01 15:28:04 +02:00
2019-07-15 10:22:03 +02:00
api: {}
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[api]
[providers.file]
directory = "/path/to/dynamic/config"
```
2019-07-15 10:22:03 +02:00
```yaml tab="CLI"
2019-11-19 10:18:05 +01:00
--entryPoints.web.address=:80
2019-12-09 11:48:05 +01:00
--providers.file.directory=/path/to/dynamic/config
2019-09-12 16:22:03 +02:00
--api.insecure=true
2019-07-15 10:22:03 +02:00
```
2021-06-19 00:08:08 +02:00
`/path/to/dynamic/config/dynamic_conf.{yml,toml}` :
2019-07-01 15:28:04 +02:00
```yaml tab="YAML"
## dynamic configuration ##
http:
routers:
routerTest:
service: srv-grpc
rule: Host(`frontend.local` )
services:
srv-grpc:
loadBalancer:
servers:
- url: h2c://backend.local:8080
```
2021-06-19 00:08:08 +02:00
```toml tab="TOML"
## dynamic configuration ##
[http]
[http.routers]
[http.routers.routerTest]
service = "srv-grpc"
rule = "Host(`frontend.local` )"
[http.services]
[http.services.srv-grpc]
[http.services.srv-grpc.loadBalancer]
[[http.services.srv-grpc.loadBalancer.servers]]
url = "h2c://backend.local:8080"
```
2019-07-01 15:28:04 +02:00
!!! warning
For providers with labels, you will have to specify the `traefik.http.services.<my-service-name>.loadbalancer.server.scheme=h2c`
### Conclusion
We don't need specific configuration to use gRPC in Traefik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.
## With HTTPS
This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.
![gRPC architecture ](../assets/img/user-guides/grpc.svg )
### gRPC Server Certificate
In order to secure the gRPC server, we generate a self-signed certificate for service url:
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert
```
That will prompt for information, the important answer is:
```txt
Common Name (e.g. server FQDN or YOUR name) []: backend.local
```
### gRPC Client Certificate
Generate your self-signed certificate for router url:
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert
```
with
```txt
Common Name (e.g. server FQDN or YOUR name) []: frontend.local
```
### Traefik Configuration
At last, we configure our Traefik instance to use both self-signed certificates.
2019-07-15 10:22:03 +02:00
Static configuration:
2019-07-01 15:28:04 +02:00
2019-07-15 10:22:03 +02:00
```yaml tab="File (YAML)"
entryPoints:
websecure:
address: :4443
2019-07-01 15:28:04 +02:00
2019-07-15 10:22:03 +02:00
serversTransport:
# For secure connection on backend.local
rootCAs:
2019-09-23 17:00:06 +02:00
- ./backend.cert
2019-07-15 10:22:03 +02:00
providers:
file:
2019-12-09 11:48:05 +01:00
directory: /path/to/dynamic/config
2019-07-15 10:22:03 +02:00
api: {}
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.websecure]
address = ":4443"
[serversTransport]
# For secure connection on backend.local
rootCAs = [ "./backend.cert" ]
[api]
[provider.file]
directory = "/path/to/dynamic/config"
```
2019-07-15 10:22:03 +02:00
```yaml tab="CLI"
2019-11-19 10:18:05 +01:00
--entryPoints.websecure.address=:4443
2019-07-15 10:22:03 +02:00
# For secure connection on backend.local
--serversTransport.rootCAs=./backend.cert
2019-12-09 11:48:05 +01:00
--providers.file.directory=/path/to/dynamic/config
2019-09-12 16:22:03 +02:00
--api.insecure=true
2019-07-15 10:22:03 +02:00
```
2021-06-19 00:08:08 +02:00
`/path/to/dynamic/config/dynamic_conf.{yml,toml}` :
```yaml tab="YAML"
## dynamic configuration ##
http:
routers:
routerTest:
service: srv-grpc
rule: Host(`frontend.local` )
services:
srv-grpc:
loadBalancer:
servers:
# Access on backend with HTTPS
- url: https://backend.local:8080
tls:
# For secure connection on frontend.local
certificates:
- certfile: ./frontend.cert
keyfile: ./frontend.key
```
2019-07-15 10:22:03 +02:00
```toml tab="TOML"
2019-07-01 15:28:04 +02:00
## dynamic configuration ##
[http]
[http.routers]
[http.routers.routerTest]
service = "srv-grpc"
rule = "Host(`frontend.local` )"
2021-06-19 00:08:08 +02:00
2019-07-01 15:28:04 +02:00
[http.services]
[http.services.srv-grpc]
[http.services.srv-grpc.loadBalancer]
[[http.services.srv-grpc.loadBalancer.servers]]
# Access on backend with HTTPS
url = "https://backend.local:8080"
[tls]
# For secure connection on frontend.local
[[tls.certificates]]
certFile = "./frontend.cert"
keyFile = "./frontend.key"
```
!!! warning
With some services, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAs` to activate HTTPS without hostname verification.
### A gRPC example in go (modify for https)
We use the gRPC greeter example in [grpc-go ](https://github.com/grpc/grpc-go/tree/master/examples/helloworld )
!!! warning
In order to use this gRPC example, we need to modify it to use HTTPS
So we modify the "gRPC server example" to use our own self-signed certificate:
```go
// ...
// Read cert and key file
2021-09-28 21:30:14 +08:00
backendCert, _ := os.ReadFile("./backend.cert")
backendKey, _ := os.ReadFile("./backend.key")
2019-07-01 15:28:04 +02:00
// Generate Certificate struct
cert, err := tls.X509KeyPair(backendCert, backendKey)
if err != nil {
log.Fatalf("failed to parse certificate: %v", err)
}
// Create credentials
creds := credentials.NewServerTLSFromCert(& cert)
// Use Credentials in gRPC server options
serverOption := grpc.Creds(creds)
var s *grpc.Server = grpc.NewServer(serverOption)
defer s.Stop()
pb.RegisterGreeterServer(s, & server{})
err := s.Serve(lis)
// ...
```
Next we will modify gRPC Client to use our Traefik self-signed certificate:
```go
// ...
// Read cert file
2021-09-28 21:30:14 +08:00
frontendCert, _ := os.ReadFile("./frontend.cert")
2019-07-01 15:28:04 +02:00
// Create CertPool
roots := x509.NewCertPool()
roots.AppendCertsFromPEM(frontendCert)
// Create credentials
credsClient := credentials.NewClientTLSFromCert(roots, "")
// Dial with specific Transport (with credentials)
conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))
if err != nil {
log.Fatalf("did not connect: %v", err)
}
defer conn.Close()
client := pb.NewGreeterClient(conn)
name := "World"
r, err := client.SayHello(context.Background(), & pb.HelloRequest{Name: name})
// ...
```