Add nginx config for load balancing gRPC requests

HOU-SZ · Jul 12, 2022 · 09ce2e6 · 09ce2e6
1 parent 58df9fa
commit 09ce2e6
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -10,9 +10,24 @@ run:
 server:
 	go run cmd/server/main.go -port 8081
 
+server1:
+	go run cmd/server/main.go -port 50051
+
+server2:
+	go run cmd/server/main.go -port 50052
+
+server1-tls:
+	go run cmd/server/main.go -port 50051 -tls
+
+server2-tls:
+	go run cmd/server/main.go -port 50052 -tls
+
 client:
 	go run cmd/client/main.go -address 0.0.0.0:8081
 
+client-tls:
+	go run cmd/client/main.go -address 0.0.0.0:8080 -tls
+
 test:
 	go test -cover -race ./...
 

diff --git a/cmd/client/main.go b/cmd/client/main.go
@@ -118,15 +118,21 @@ func loadTLSCredentials() (credentials.TransportCredentials, error) {
 
 func main() {
 	serverAddress := flag.String("address", "", "the server address")
+	enableTLS := flag.Bool("tls", false, "enable SSL/TLS")
 	flag.Parse()
-	log.Printf("dial server %s", *serverAddress)
+	log.Printf("dial server %s, TLS = %t", *serverAddress, *enableTLS)
 
-	tlsCredentials, err := loadTLSCredentials()
-	if err != nil {
-		log.Fatal("cannot load TLS credentials: ", err)
+	transportOption := grpc.WithInsecure()
+
+	if *enableTLS {
+		tlsCredentials, err := loadTLSCredentials()
+		if err != nil {
+			log.Fatal("cannot load TLS credentials: ", err)
+		}
+		transportOption = grpc.WithTransportCredentials(tlsCredentials)
 	}
 
-	cc1, err := grpc.Dial(*serverAddress, grpc.WithTransportCredentials(tlsCredentials))
+	cc1, err := grpc.Dial(*serverAddress, transportOption)
 	if err != nil {
 		log.Fatal("cannot dial server: ", err)
 	}
@@ -139,7 +145,7 @@ func main() {
 
 	cc2, err := grpc.Dial(
 		*serverAddress,
-		grpc.WithTransportCredentials(tlsCredentials),
+		transportOption,
 		grpc.WithUnaryInterceptor(interceptor.Unary()),
 		grpc.WithStreamInterceptor(interceptor.Stream()),
 	)

diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -78,8 +78,9 @@ func loadTLSCredentials() (credentials.TransportCredentials, error) {
 
 func main() {
 	port := flag.Int("port", 0, "the server port")
+	enableTLS := flag.Bool("tls", false, "enable SSL/TLS")
 	flag.Parse()
-	log.Printf("start server on port %d", *port)
+	log.Printf("start server on port %d, TLS = %t", *port, *enableTLS)
 
 	userStore := service.NewInMemoryUserStore()
 	err := seedUsers(userStore)
@@ -95,17 +96,21 @@ func main() {
 	ratingStore := service.NewInMemoryRatingStore()
 	laptopServer := service.NewLaptopServer(laptopStore, imageStore, ratingStore)
 
-	tlsCredentials, err := loadTLSCredentials()
-	if err != nil {
-		log.Fatal("cannot load TLS credentials: ", err)
-	}
-
 	interceptor := service.NewAuthInterceptor(jwtManager, accessibleRoles())
-	grpcServer := grpc.NewServer(
-		grpc.Creds(tlsCredentials),
+	serverOptions := []grpc.ServerOption{
 		grpc.UnaryInterceptor(interceptor.Unary()),
 		grpc.StreamInterceptor(interceptor.Stream()),
-	)
+	}
+
+	if *enableTLS {
+		tlsCredentials, err := loadTLSCredentials()
+		if err != nil {
+			log.Fatal("cannot load TLS credentials: ", err)
+		}
+		serverOptions = append(serverOptions, grpc.Creds(tlsCredentials))
+	}
+
+	grpcServer := grpc.NewServer(serverOptions...)
 
 	pb.RegisterLaptopServiceServer(grpcServer, laptopServer)
 	pb.RegisterAuthServiceServer(grpcServer, authServer)

diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,48 @@
+worker_processes  1;
+
+error_log  /usr/local/var/log/nginx/error.log;
+
+events {
+    worker_connections  10;
+}
+
+http {
+    access_log  /usr/local/var/log/nginx/access.log;
+
+    upstream auth_services {
+        server 0.0.0.0:50051;
+        server 0.0.0.0:50052;
+    }
+
+    upstream laptop_services {
+        server 0.0.0.0:50051;
+        server 0.0.0.0:50052;
+    }
+
+    server {
+        listen       8080 ssl http2;
+
+        # Mutual TLS between gRPC client and nginx
+        ssl_certificate cert/server-cert.pem;
+        ssl_certificate_key cert/server-key.pem;
+
+        ssl_client_certificate cert/ca-cert.pem;
+        ssl_verify_client on;
+
+        location /techschool.pcbook.AuthService {
+            grpc_pass grpcs://auth_services;
+
+            # Mutual TLS between nginx and gRPC server
+            grpc_ssl_certificate cert/server-cert.pem;
+            grpc_ssl_certificate_key cert/server-key.pem;
+        }
+
+        location /techschool.pcbook.LaptopService {
+            grpc_pass grpcs://laptop_services;
+
+            # Mutual TLS between nginx and gRPC server
+            grpc_ssl_certificate cert/server-cert.pem;
+            grpc_ssl_certificate_key cert/server-key.pem;
+        }
+    }
+}