-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NewClient functions behaviour is incompatible with secure forward-proxies #7556
Comments
If you need a short-term workaround to keep things working as they were before, you should be able to use the passthrough resolver: client, err := grpc.NewClient("passthrough:///<hostname>:<port>", ...) That probably should not be required, though. |
@dfawley I get that this would work in most of the cases. |
Are you saying the workaround of using |
No, I didn't mean passthrough won't work. But I think NewClient api should have greater flexibility to be able to configure dns versus passthrough. Since we use opentelemetry, the real grpc-go integration is way down the stack and it's hard to configure the url this way as the same url gets used at multiple places. |
Thanks for confirming. Yes, this should be treated as a bug and the workaround was not suggested to avoid fixing it. |
For reference, this gRFC comes into play here: https://github.com/grpc/proposal/blob/master/A1-http-connect-proxy-support.md But note that Java did not implement this gRFC, and we may or may not want to do things this way. |
Java added support for "Use Case 1". But it did not use the gRFC's design. grpc/grpc-java#10022 tracks implementing Use Case 2 in Java. |
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead DialContext, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead DialContext, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. Passthrough scheme was the prior default and prevents resolution to happen beforehand. This change can be removed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead DialContext, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead Dial, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. This can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead Dial, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. This can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead Dial, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. This can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
Keeping this issue open to track the fix. |
With NewClient API usage, we are facing issues at few customers who have intermediate proxies between collector and platform. With NewClient API instead Dial, DNS resolution happens on the client side while it should happen on proxy. Also, with SGProxy client does not get the correct certificate. This can be changed once grpc fixes grpc/grpc-go#7556 and otel collector picks the fix
What version of gRPC are you using?
1.64.0 and v1.67.0-dev
What version of Go are you using (
go version
)?1.22
What operating system (Linux, Windows, …) and version?
Linux
What did you do?
If possible, provide a recipe for reproducing the error.
What did you expect to see?
the target should be hostname while it's sent to proxy and dns resolution for target should happen on proxy
What did you see instead?
dns is resolved on the client and only ip is sent.
Attaching tcpdump screenshot with difference
tcpdump for curl
The text was updated successfully, but these errors were encountered: