GRPC Proxy
fabio can run a transparent GRPC proxy which dynamically forwards an incoming
RPC on a given port to services which advertise rpc service or method. To use GRPC
proxy support the service needs to advertise urlprefix-/my.service/Method proto=grpc
in
Consul. In addition, fabio needs to be configured with a grpc listener:
fabio -proxy.addr ':1234;proto=grpc'
As per the HTTP/2 spec, the host header is not required, so host matching is not supported for GRPC proxying.
GRPC proxy support can be combined with Certificate Stores to provide TLS termination on fabio. Configure proxy.addr
with proto=grpcs
.
fabio -proxy.cs 'cs=ssl;type=path;path=/etc/ssl' -proxy.addr ':1234;proto=grpcs;cs=ssl'
To support TLS upstream servers add the proto=grpcs
option to the
urlprefix-
tag. The current implementation uses the clientca specified in the Certificate Store for the listener. To disable certificate
validation for a target set the tlsskipverify=true
option.
urlprefix-/foo proto=grpcs
urlprefix-/foo proto=grpcs tlsskipverify=true
For TLS upstream servers (when using the consul registry) fabio will direct your traffic to an advertised service IP. If your service certificate does not contain an IP SAN, the certificate verification will fail. You can set the override the server name in the tls config by setting grpcservername=<servername>
in the urlprefix-
tag.
urlprefix-/ proto=grpcs grpcservername=my.service.hostname