Recently, I wanted to isolate a service of the website to provide data, use grpc for interaction, use consul for service discovery, and use docker for the operating environment.
Now the problem is coming. First, the grpc transmission uses the http2 protocol. The http2 protocol requires https. In the case of the internal network, we may not want to use https. Then grpc can also use http. Refer to: Http2UnencryptedSupport . By configuring the server monitoring protocol to be http2, At the same time configure the client, you can use the http protocol to call grpc.
Appsettings on the server side can add the following configuration monitoring protocol:
|
1
2
3
4
5
|
"Kestrel"
: {
"EndpointDefaults"
: {
"Protocols"
:
"Http2"
}
}
|
The client adds the following code in Programs:
|
1
2
|
AppContext.SetSwitch(
"System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport"
,
true
);
|
The next problem is that my grpc service hopes to discover through consul, but consul's heartbeat detection does not support http2. In other words, my grpc service must also accept http / http2 protocol access. Can .net core support it?
In fact, it is possible, refer to: ListenOptions.Protocols . That is, change the "Protocols": "Http2" above to "Protocols": "Http1AndHttp2". However, the article also stated the conditions of use of Http1AndHttp2: "HTTP / 2 requires the client to select HTTP / 2 during the TLS Application Layer Protocol Negotiation (ALPN) handshake process; otherwise, the connection defaults to HTTP / 1.1."
That is to say, if you use the http address when using grpc to access the service, you cannot use the http2 protocol. . .
What should I do? My consideration is
1. Don't use consul, directly access grpc service, which does not meet my needs
2. Only https is available. There are two ways to use https. The first is to use the dev certificate, that is, the certificate with the address of localhost. This .net core can be signed by itself. Since my service is running in docker, that means localhost. All services need to be under the same network in dockerker, this is very easy to solve, and the certificate is easy to obtain.
In the end, I chose another method, which is a self-signed certificate. Install openssl under windows and self-sign a chain three-level certificate: CA certificate> intermediate certificate> service certificate. The final service certificate points to the IP address of the grpc service. Installation reference for openssl under windows: here . Reference for the generation of chain certificates: here .
If you do n’t need a Level 3 certificate, you can actually generate a service certificate as the root certificate.
Next, let's talk about what you should pay attention to when deploying to docker:
On the server side, the .netcore certificate needs to be in pfx format, so the certificate generated by openssl is also converted to pfx and then configured into docker: reference
I deployed using docker-compose, so I need to add environment variables in yml:
|
1
2
3
4
|
environment:
-
"ASPNETCORE_Kestrel__Certificates__Default__Path=/https/your.pfx"
-
"ASPNETCORE_Kestrel__Certificates__Default__Password=yourpassword"
-
"ASPNETCORE_URLS=https://+;http://+"
|
The grpc client needs to trust the certificate that has just been generated. The client runs on windows, then double-click the certificate to install it. To view the certificate under windows, you can open the command line and enter the mmc command. If it is in docker, then you need to copy the certificate and update it. My client dockerfile adds these two commands:
|
1
2
|
COPY
"your.crt"
"/usr/local/share/ca-certificates"
RUN update-ca-certificates
|
This means copy the certificate to the ca-certificates directory and execute the update command.
Finally, let me talk about my experience: self-signed certificates are not trusted under chrome. There are tutorials online to add trust. This point is better done by IE. After adding the trust certificate, IE can directly open the signed https website without warning.
Another is that if the client environment does not add a trusted self-signed certificate, the .net core program will report an error. The main reason is that the certificate is not trusted. However, when I tested the revocation certificate, I found that .netcore can still normally access the website whose certificate has been revoked. When opened with IE, IE will prompt that the certificate has been revoked. I do n’t know how to deal with this problem.
How to revoke a certificate can be seen: openssl generates a certificate chain multi-level certificate, certificate revocation list (CRL)