how to make load balance while use SSL connection (CPP)

Question

how to make load balance while use SSL connection (CPP)

chenbaggio opened this issue 5 years ago · 9 comments

I was used to fill address like "ipv4:ip1:port1,ip2:port2 ..." for load balance, but recently , I have to use credential channel, use the address seems dose not work, please tell how to resolve the issue (whether certifications also need support multi ips)

Answer 1 · 2019-09-06T18:28:16.000Z

Could you give more information about why the address you are using does not work? I think your question is that the address work in load balance channel, doesn't work in credential channel, which means there is inconsistency in channel apis.

Answer 2 · 2019-09-07T01:51:49.000Z

I use grpc client to connect etcd service cluster, the code snippet like that:

/* create credential */
static std::shared_ptr<ChannelCredentials> BuildChannelCredentials(rpc_channel_auth * rca)
{

	if (rca != NULL)
	{
		if (rca->ccs == CSRPC_SSL)
		{
			 grpc::SslCredentialsOptions ssl_opts;

			 ssl_opts.pem_root_certs = read_file(rca->extra.sca.root_certs);
			 ssl_opts.pem_private_key = read_file(rca->extra.sca.private_key);
			 ssl_opts.pem_cert_chain = read_file(rca->extra.sca.cert_chain);

			 return grpc::SslCredentials(ssl_opts);
		}
	}

	return grpc::InsecureChannelCredentials();
}

/* create channel */
CliPtr = new Etcd_Client(grpc::CreateCustomChannel(
				hostAddr, channelCred, chan_args),
				int(CSRPC_ETCD_GRPC_CLIENT), timeout);

the argument hostAddr is like that "ipv4:ip1:port1,ip2:port2 ..."

but while it execute rpc call, it report connect fail, but it work in condition that not use SSL, so I just
want to know how to fill the address - it can work and keep load balance,thank you!

Answer 3 · 2019-09-10T07:29:51.000Z

@nanahpang would you notice me how about it, thx

Answer 4 · 2019-09-11T01:24:12.000Z

@nanahpang I got an urgent task and please help me, thx!

Answer 5 · 2019-09-18T22:03:53.000Z

My guess is that hostAddr authority is not working with TLS because TLS secure name check isn't working. A hack way to make this work can perhaps be to override the authority (this is how our tests use TLS), but that's not generally meant for production usage. Is it not possible for you to reach your service by targetting a DNS name?

Answer 6 · 2019-09-19T00:39:49.000Z

Would the server authz callback ability offered by #19778 (when merged) address this issue?

Answer 7 · 2019-09-19T08:43:03.000Z

thanks, I appeal to add DNS SRV, for example
domain name : etcd.com
Load Balance IP list is: 192.168.x.x , 192.168.x.x and so on

the grpc version is 1.20.0

Is it the right way to solve my problem ?

Answer 8 · 2019-10-17T00:16:26.000Z

Sorry, I'm not sure that will work. Note that SRV records are used only to bootstrap "grpclb" load balancing in grpc.

It is possible, though, to publish a DNS A or AAAA record with such a list of IP addresses, and round robin over them (I believe that is what you're aiming for in this last comment?)

Answer 9 · 2020-03-12T00:10:59.000Z

This issue is being closed because it has been marked with the label kind/question. This form is for bug reports and feature requests ONLY!
Please post questions on https://groups.google.com/g/grpc-io so that the wider community can help answer.