Opened 7 years ago
Closed 6 years ago
#1510 closed defect (worksforme)
gRPC stream RST_STREAM PROTOCOL_ERROR
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.13.x |
| Keywords: | Cc: | ||
| uname -a: | |||
| nginx -V: |
nginx version: nginx/1.13.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.1.0g 2 Nov 2017 TLS SNI support enabled configure arguments: --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-threads --add-module=/root/nginx-1.13.10/ngx_http_google_filter_module --add-module=/root/nginx-1.13.10/ngx_http_substitutions_filter_module --add-module=/root/nginx-1.13.10/nginx-rtmp-module --add-module=/root/nginx-1.13.10/nginx-ts-module --with-openssl=/root/nginx-1.13.10/openssl-1.1.0g --add-module=/root/nginx-1.13.10/ngx_devel_kit-0.3.1rc1 --add-module=/root/nginx-1.13.10/lua-nginx-module-0.10.12rc2 |
||
Description
I have a gRPC server behind nginx 1.13.10. The client report:
stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
sometimes the code may: INTERNAL_ERROR
The server and the client works without nginx.
The client and the server using private cert.
nginx conf
`
upstream grpctun {
server 10.10.10.1:10465 weight=60;
server 10.10.10.2:10465 weight=30;
server 10.10.10.3:10465 weight=10;
}
server {
listen 1465 ssl http2;
ssl_certificate /home/web/ssl/grpc/grpctun.cert;
ssl_certificate_key /home/web/ssl/grpc/grpctun.key;
location / {
grpc_pass grpcs://grpctun;
}
}
`
Note:
See TracTickets
for help on using tickets.
Try looking into the error log, it might have enough information to explain what goes on. If it doesn't, please provide a debug log.
Note well that "client ... use private cert" suggests that you are using SSL client certificate to authenticate the client on your gRPC servers. This approach cannot work through a proxy server, much like with normal SSL proxying: SSL certificates can authenticate connection endpoints, but not end-to-end communication through intermediate proxy servers. As such, you have to switch to a different authentication method.