This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

pub/sub behind forward proxy

Posted on 08-27-2024 06:37 AM
mapuci
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

My client wants to subscribe to a pub/sub topic from a server in an on premise & air-gapped environment.

The idea is that we change apps URLs of OAuth and pub/sub endpoints to my proxy endpoint's address. 
But I cannot make it work.

I do not fully understand how to proxy grpc with ssl protocol negotiation, hopefully I can get some insights here, I cannot find anything use full anywhere else.

I managed to make OAuth use the proxy address. But the pubsub uses grpc, and that is causing me headackes.

I'm using java client (quarkus) and haproxy. 

The java code is trivial, not changed at all (example can be found here https://docs.quarkiverse.io/quarkus-google-cloud-services/main/pubsub.html#_some_example)
But the java program is started with 

-Dhttp.proxyHost=localhost -Dhttp.proxyPort=8501 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8501 -Dhttp.nonProxyHosts="*oauth*"

and the haproxy.conf looks like

frontend pubsub
  bind :8501
  mode tcp
  default_backend pubsub

backend pubsub
  mode tcp
  server s1 pubsub.googleapis.com:443

But i get...
Caused by: io.grpc.netty.shaded.io.netty.handler.proxy.ProxyConnectException: http, none, localhost/127.0.0.1:8501 => pubsub.googleapis.com/<unresolved>:443, disconnected

I'm kinda lost here, help appreciated!
PS: I have tried various other configs, none worked. 


Solved Solved
0 1 306
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mapuci
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I figured it out.
Connection have to be TLS all the way, with HTTP2 protocol negotiation enabled. 
With haproxy config looks as follows.

frontend pubsub
  bind :8501 ssl crt /etc/haproxy/pem/haproxy.pem alpn h2
  #http-request capture req.hdrs len 5000
  http-request set-header Host pubsub.googleapis.com:443
  #log-format "$HAPROXY_HTTP_LOG_FMT [[%hr]]"
  default_backend pubsub

backend pubsub
  server s-pubsub pubsub.googleapis.com:443 check ssl alpn h2 verify none

Inspiration:  https://github.com/haproxytechblog/haproxy-grpc-sample/blob/master/src/haproxy/haproxy.cfg

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
mapuci
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I figured it out.
Connection have to be TLS all the way, with HTTP2 protocol negotiation enabled. 
With haproxy config looks as follows.

frontend pubsub
  bind :8501 ssl crt /etc/haproxy/pem/haproxy.pem alpn h2
  #http-request capture req.hdrs len 5000
  http-request set-header Host pubsub.googleapis.com:443
  #log-format "$HAPROXY_HTTP_LOG_FMT [[%hr]]"
  default_backend pubsub

backend pubsub
  server s-pubsub pubsub.googleapis.com:443 check ssl alpn h2 verify none

Inspiration:  https://github.com/haproxytechblog/haproxy-grpc-sample/blob/master/src/haproxy/haproxy.cfg

Jump to Solution
Top Solution Authors
View all