I'm running a GRPC server. Today, it has its own certificate as part of the application code. I'd like to move certificate handling and TLS termination to a reverse proxy.
Server looks like this (since no TLS involved behind the proxy):
grpcServer := grpc.NewServer(
grpc.Creds(insecure.NewCredentials()),
grpc.KeepaliveParams(keepalive.ServerParameters{
MaxConnectionIdle: 30 * time.Second,
}),
)
Client dial looks like this (since it needs to talk TLS imho):
creds := credentials.NewTLS(new(tls.Config))
conn, err := grpc.Dial(host, grpc.WithTransportCredentials(creds))
This doesn't work:
rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: EOF"
Changing the client to use insecure.NewCredentials() instead of empty tls.Config fails as well:
rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: read tcp 192.168.178.137:61666->66.241.124.2:8080: read: connection reset by peer"
Should any of these methods work for GRCP server behind TLS-terminating reverse proxy? What is the correct way to configure transport credentials for this deployment scenario?
Finally got it:
grpc.Creds(...)must be removed altogether. The other missing piece- as the app is running on fly.io- is adding the required ALPN handler to the reverse proxy configuration: