Solved: pub/sub behind forward proxy - Page 2

mapuci · 08-27-2024 06:37 AM

My client wants to subscribe to a pub/sub topic from a server in an on premise & air-gapped environment.

The idea is that we change apps URLs of OAuth and pub/sub endpoints to my proxy endpoint's address.
But I cannot make it work.

I do not fully understand how to proxy grpc with ssl protocol negotiation, hopefully I can get some insights here, I cannot find anything use full anywhere else.

I managed to make OAuth use the proxy address. But the pubsub uses grpc, and that is causing me headackes.

I'm using java client (quarkus) and haproxy.

The java code is trivial, not changed at all (example can be found here https://docs.quarkiverse.io/quarkus-google-cloud-services/main/pubsub.html#_some_example)
But the java program is started with

-Dhttp.proxyHost=localhost -Dhttp.proxyPort=8501 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8501 -Dhttp.nonProxyHosts="*oauth*"

and the haproxy.conf looks like

frontend pubsub
  bind :8501
  mode tcp
  default_backend pubsub

backend pubsub
  mode tcp
  server s1 pubsub.googleapis.com:443

But i get...
Caused by: io.grpc.netty.shaded.io.netty.handler.proxy.ProxyConnectException: http, none, localhost/127.0.0.1:8501 => pubsub.googleapis.com/<unresolved>:443, disconnected

I'm kinda lost here, help appreciated!
PS: I have tried various other configs, none worked.

mapuci

I figured it out.
Connection have to be TLS all the way, with HTTP2 protocol negotiation enabled.
With haproxy config looks as follows.

frontend pubsub
  bind :8501 ssl crt /etc/haproxy/pem/haproxy.pem alpn h2
  #http-request capture req.hdrs len 5000
  http-request set-header Host pubsub.googleapis.com:443
  #log-format "$HAPROXY_HTTP_LOG_FMT [[%hr]]"
  default_backend pubsub

backend pubsub
  server s-pubsub pubsub.googleapis.com:443 check ssl alpn h2 verify none

Inspiration: https://github.com/haproxytechblog/haproxy-grpc-sample/blob/master/src/haproxy/haproxy.cfg

View solution in original post