Does stream module have support to negotiate ALPN when terminating TLS?
sojuro
nginx-forum at forum.nginx.org
Sun Dec 15 07:20:12 UTC 2019
Is there support for forwarding to backends when clients are sending ALPN? I
would like to use the stream module if possible. The following nginx config
works successfully with a Go client but not with the Ruby client. This is
similar to the problem with AWS ELB
https://github.com/grpc/grpc/issues/18710
stream {
upstream stream_backend_1 {
server mygrpcservice:8080;
}
server {
listen 443 ssl;
proxy_pass stream_backend_1;
ssl_certificate /etc/ssl/test_cert.pem;
ssl_certificate_key /etc/ssl/test_key.pem;
ssl_preread on;
}
}
With preread on and nginx-debug I got the following in the logs and so the
client is sending ALPN data
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols
"grpc-exp"
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols
"grpc-exp,h2"
but the Handshake fails in the grpc library because Server does not set the
negotiated ALPN??
D1214 23:00:44.714269000 123145438679040 security_handshaker.cc:186]
Security handshake failed:
{"created":"@1576393244.714255000","description":"Cannot check peer: missing
selected ALPN
property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":118}
Also fails with openssl
$ openssl s_client -connect test00.net:443 -alpn h2 | grep alpn
verify return:1
No ALPN negotiated
-s
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286473,286473#msg-286473
More information about the nginx
mailing list