traefik/old/docs/user-guide/grpc.md

# gRPC examples

## With HTTP (h2c)

This section explains how to use Traefik as reverse proxy for gRPC application.

### Traefik configuration

At last, we configure our Traefik instance to use both self-signed certificates.

```toml
defaultEntryPoints = ["https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http]

[api]

[file]

[backends]
  [backends.backend1]
    [backends.backend1.servers.server1]
    # Access on backend with h2c
    url = "h2c://backend.local:8080"


[frontends]
  [frontends.frontend1]
  backend = "backend1"
    [frontends.frontend1.routes.test_1]
    rule = "Host:frontend.local"
```

!!! warning
    For provider with label, you will have to specify the `traefik.protocol=h2c`

### Conclusion

We don't need specific configuration to use gRPC in Traefik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.

## With HTTPS

This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.

![gRPC architecture](/img/grpc.svg)

### gRPC Server certificate

In order to secure the gRPC server, we generate a self-signed certificate for backend url:

```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert
```

That will prompt for information, the important answer is:

```
Common Name (e.g. server FQDN or YOUR name) []: backend.local
```

### gRPC Client certificate

Generate your self-signed certificate for frontend url:

```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert
```

with

```
Common Name (e.g. server FQDN or YOUR name) []: frontend.local
```

### Traefik configuration

At last, we configure our Traefik instance to use both self-signed certificates.

```toml
defaultEntryPoints = ["https"]

# For secure connection on backend.local
rootCAs = [ "./backend.cert" ]

[entryPoints]
  [entryPoints.https]
  address = ":4443"
    [entryPoints.https.tls]
     # For secure connection on frontend.local
     [[entryPoints.https.tls.certificates]]
     certFile = "./frontend.cert"
     keyFile  = "./frontend.key"


[api]

[file]

[backends]
  [backends.backend1]
    [backends.backend1.servers.server1]
    # Access on backend with HTTPS
    url = "https://backend.local:8080"


[frontends]
  [frontends.frontend1]
  backend = "backend1"
    [frontends.frontend1.routes.test_1]
    rule = "Host:frontend.local"
```

!!! warning
    With some backends, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAS` to activate HTTPS without hostname verification.

### A gRPC example in go (modify for https)

We use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)

!!! warning
    In order to use this gRPC example, we need to modify it to use HTTPS

So we modify the "gRPC server example" to use our own self-signed certificate:

```go
// ...

// Read cert and key file
BackendCert, _ := ioutil.ReadFile("./backend.cert")
BackendKey, _ := ioutil.ReadFile("./backend.key")

// Generate Certificate struct
cert, err := tls.X509KeyPair(BackendCert, BackendKey)
if err != nil {
  log.Fatalf("failed to parse certificate: %v", err)
}

// Create credentials
creds := credentials.NewServerTLSFromCert(&cert)

// Use Credentials in gRPC server options
serverOption := grpc.Creds(creds)
var s *grpc.Server = grpc.NewServer(serverOption)
defer s.Stop()

pb.RegisterGreeterServer(s, &server{})
err := s.Serve(lis)

// ...
```

Next we will modify gRPC Client to use our Traefik self-signed certificate:

```go
// ...

// Read cert file
FrontendCert, _ := ioutil.ReadFile("./frontend.cert")

// Create CertPool
roots := x509.NewCertPool()
roots.AppendCertsFromPEM(FrontendCert)

// Create credentials
credsClient := credentials.NewClientTLSFromCert(roots, "")

// Dial with specific Transport (with credentials)
conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))
if err != nil {
    log.Fatalf("did not connect: %v", err)
}

defer conn.Close()
client := pb.NewGreeterClient(conn)

name := "World"
r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})

// ...
```
h2c server 2018-05-28 09:46:03 +00:00			`# gRPC examples`
User guide gRPC 2017-09-16 08:56:02 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`## With HTTP (h2c)`

			`This section explains how to use Traefik as reverse proxy for gRPC application.`

Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			`### Traefik configuration`
h2c server 2018-05-28 09:46:03 +00:00
Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			`At last, we configure our Traefik instance to use both self-signed certificates.`
h2c server 2018-05-28 09:46:03 +00:00
			```toml
			`defaultEntryPoints = ["https"]`

			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`[entryPoints.http]`

			`[api]`

			`[file]`

			`[backends]`
			`[backends.backend1]`
			`[backends.backend1.servers.server1]`
			`# Access on backend with h2c`
			`url = "h2c://backend.local:8080"`


			`[frontends]`
			`[frontends.frontend1]`
			`backend = "backend1"`
			`[frontends.frontend1.routes.test_1]`
			`rule = "Host:frontend.local"`
			```
User guide gRPC 2017-09-16 08:56:02 +00:00
			`!!! warning`
h2c server 2018-05-28 09:46:03 +00:00			For provider with label, you will have to specify the `traefik.protocol=h2c`

			`### Conclusion`

Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			We don't need specific configuration to use gRPC in Traefik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.
h2c server 2018-05-28 09:46:03 +00:00
			`## With HTTPS`

			`This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.`
User guide gRPC 2017-09-16 08:56:02 +00:00
Documentation: Introduces a check stage to validate HTML and links 2018-07-12 16:26:03 +00:00			`![gRPC architecture](/img/grpc.svg)`
User guide gRPC 2017-09-16 08:56:02 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`### gRPC Server certificate`

			`In order to secure the gRPC server, we generate a self-signed certificate for backend url:`

			```bash
			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert`
			```

			`That will prompt for information, the important answer is:`

			```
			`Common Name (e.g. server FQDN or YOUR name) []: backend.local`
			```

			`### gRPC Client certificate`
User guide gRPC 2017-09-16 08:56:02 +00:00
			`Generate your self-signed certificate for frontend url:`

			```bash
Update gRPC example 2017-10-02 09:34:03 +00:00			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert`
User guide gRPC 2017-09-16 08:56:02 +00:00			```

			`with`

			```
			`Common Name (e.g. server FQDN or YOUR name) []: frontend.local`
			```

Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			`### Traefik configuration`
User guide gRPC 2017-09-16 08:56:02 +00:00
Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			`At last, we configure our Traefik instance to use both self-signed certificates.`
User guide gRPC 2017-09-16 08:56:02 +00:00
			```toml
			`defaultEntryPoints = ["https"]`

h2c server 2018-05-28 09:46:03 +00:00			`# For secure connection on backend.local`
			`rootCAs = [ "./backend.cert" ]`

User guide gRPC 2017-09-16 08:56:02 +00:00			`[entryPoints]`
			`[entryPoints.https]`
			`address = ":4443"`
			`[entryPoints.https.tls]`
			`# For secure connection on frontend.local`
			`[[entryPoints.https.tls.certificates]]`
			`certFile = "./frontend.cert"`
			`keyFile = "./frontend.key"`


Fix redirect problem on dashboard + docs/tests on [web] 2018-01-11 08:46:03 +00:00			`[api]`
User guide gRPC 2017-09-16 08:56:02 +00:00
			`[file]`

			`[backends]`
			`[backends.backend1]`
			`[backends.backend1.servers.server1]`
h2c server 2018-05-28 09:46:03 +00:00			`# Access on backend with HTTPS`
			`url = "https://backend.local:8080"`
User guide gRPC 2017-09-16 08:56:02 +00:00

			`[frontends]`
			`[frontends.frontend1]`
			`backend = "backend1"`
			`[frontends.frontend1.routes.test_1]`
			`rule = "Host:frontend.local"`
			```

Move http2 configure transport 2017-10-10 10:14:03 +00:00			`!!! warning`
h2c server 2018-05-28 09:46:03 +00:00			With some backends, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAS` to activate HTTPS without hostname verification.
Move http2 configure transport 2017-10-10 10:14:03 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`### A gRPC example in go (modify for https)`
User guide gRPC 2017-09-16 08:56:02 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`We use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)`
User guide gRPC 2017-09-16 08:56:02 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`!!! warning`
			`In order to use this gRPC example, we need to modify it to use HTTPS`
User guide gRPC 2017-09-16 08:56:02 +00:00
h2c server 2018-05-28 09:46:03 +00:00			`So we modify the "gRPC server example" to use our own self-signed certificate:`
User guide gRPC 2017-09-16 08:56:02 +00:00
			```go
			`// ...`
h2c server 2018-05-28 09:46:03 +00:00
			`// Read cert and key file`
			`BackendCert, _ := ioutil.ReadFile("./backend.cert")`
			`BackendKey, _ := ioutil.ReadFile("./backend.key")`

			`// Generate Certificate struct`
			`cert, err := tls.X509KeyPair(BackendCert, BackendKey)`
User guide gRPC 2017-09-16 08:56:02 +00:00			`if err != nil {`
h2c server 2018-05-28 09:46:03 +00:00			`log.Fatalf("failed to parse certificate: %v", err)`
User guide gRPC 2017-09-16 08:56:02 +00:00			`}`
h2c server 2018-05-28 09:46:03 +00:00
			`// Create credentials`
			`creds := credentials.NewServerTLSFromCert(&cert)`

			`// Use Credentials in gRPC server options`
			`serverOption := grpc.Creds(creds)`
			`var s *grpc.Server = grpc.NewServer(serverOption)`
User guide gRPC 2017-09-16 08:56:02 +00:00			`defer s.Stop()`

Update gRPC example 2017-10-02 09:34:03 +00:00			`pb.RegisterGreeterServer(s, &server{})`
User guide gRPC 2017-09-16 08:56:02 +00:00			`err := s.Serve(lis)`

			`// ...`
			```

Uses ASCII characters to spell Traefik 2018-10-17 14:24:04 +00:00			`Next we will modify gRPC Client to use our Traefik self-signed certificate:`
User guide gRPC 2017-09-16 08:56:02 +00:00
			```go
			`// ...`

			`// Read cert file`
Update gRPC example 2017-10-02 09:34:03 +00:00			`FrontendCert, _ := ioutil.ReadFile("./frontend.cert")`
User guide gRPC 2017-09-16 08:56:02 +00:00
			`// Create CertPool`
			`roots := x509.NewCertPool()`
			`roots.AppendCertsFromPEM(FrontendCert)`

			`// Create credentials`
			`credsClient := credentials.NewClientTLSFromCert(roots, "")`

			`// Dial with specific Transport (with credentials)`
Update gRPC example 2017-10-02 09:34:03 +00:00			`conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))`
User guide gRPC 2017-09-16 08:56:02 +00:00			`if err != nil {`
Update gRPC example 2017-10-02 09:34:03 +00:00			`log.Fatalf("did not connect: %v", err)`
User guide gRPC 2017-09-16 08:56:02 +00:00			`}`

			`defer conn.Close()`
Update gRPC example 2017-10-02 09:34:03 +00:00			`client := pb.NewGreeterClient(conn)`
User guide gRPC 2017-09-16 08:56:02 +00:00
			`name := "World"`
Update gRPC example 2017-10-02 09:34:03 +00:00			`r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})`
User guide gRPC 2017-09-16 08:56:02 +00:00
			`// ...`
			```