nginx-gists · November 10, 2022 23:54 · Oct 12, 2021 · Jan 21, 2021 · Jan 21, 2021 · Jan 21, 2021
diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -1,11 +1,11 @@
-log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
-                                  '"uri":"$uri","http-status":$status,'
-                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
-                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
+log_format grpc_json escape=json '{"timestamp":"$time_iso8601",'
+           '"client":"$remote_addr","uri":"$uri","http-status":$status,'
+           '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
+           '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
 
 map $upstream_trailer_grpc_status $grpc_status {
-    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
+    default $upstream_trailer_grpc_status; # grpc-status is usually a trailer
+    ''      $sent_http_grpc_status; # Else use the header, whatever its source
 }
 
 server {

diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -1,11 +1,11 @@
-log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
-                                  '"uri":"$uri","http-status":$status,'
-                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
-                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
+log_format grpc_json escape=json '{"timestamp":"$time_iso8601",'
+           '"client":"$remote_addr","uri":"$uri","http-status":$status,'
+           '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
+           '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
 
 map $upstream_trailer_grpc_status $grpc_status {
-    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
+    default $upstream_trailer_grpc_status; # grpc-status is usually a trailer
+    ''      $sent_http_grpc_status; # Else use the header, whatever its source
 }
 
 server {

diff --git a/grpc_health_checkNEW.conf b/grpc_health_checkNEW.conf
@@ -1,40 +0,0 @@
-log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
-                                  '"uri":"$uri","http-status":$status,'
-                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
-                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
-
-map $upstream_trailer_grpc_status $grpc_status {
-    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
-}
-
-server {
-    listen 50051 http2; # Plaintext
-
-    # Routing
-    location /routeguide. {
-        grpc_pass grpc://routeguide_service;
-        health_check type=grpc grpc_status=12; # 12=unimplemented
-    }
-    location /helloworld. {
-        grpc_pass grpc://helloworld_service;
-        health_check type=grpc grpc_status=12; # 12=unimplemented
-    }
-}
-
-# Backend gRPC servers
-#
-upstream routeguide_service {
-    zone routeguide_service 64k;
-    server 127.0.0.1:10001;
-    server 127.0.0.1:10002;
-    server 127.0.0.1:10003;
-}
-
-upstream helloworld_service {
-    zone helloworld_service 64k;
-    server 127.0.0.1:20001;
-    server 127.0.0.1:20002;
-}
-
-# vim: syntax=nginx

diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -1,26 +1,35 @@
+log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
+                                  '"uri":"$uri","http-status":$status,'
+                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
+                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
+
+map $upstream_trailer_grpc_status $grpc_status {
+    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
+    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
+}
+
 server {
     listen 50051 http2; # Plaintext
 
     # Routing
-    location /helloworld. {
-        grpc_pass grpc://helloworld_service;
+    location /routeguide. {
+        grpc_pass grpc://routeguide_service;
+        health_check type=grpc grpc_status=12; # 12=unimplemented
     }
-
-    # Health-check the helloworld containers
-    location @helloworld_health {
-        health_check mandatory uri=/nginx.health/check match=grpc_unknown;
-        grpc_set_header Content-Type application/grpc;
-        grpc_set_header TE trailers;
+    location /helloworld. {
         grpc_pass grpc://helloworld_service;
+        health_check type=grpc grpc_status=12; # 12=unimplemented
     }
 }
 
-# Specify the expected response to the health check (this 
-# assumes that the gRPC service responds to GET requests)
-match grpc_unknown {
-    header Content-Type = application/grpc;
-    header grpc-status = 12; # unimplemented / unknown method
-} 
+# Backend gRPC servers
+#
+upstream routeguide_service {
+    zone routeguide_service 64k;
+    server 127.0.0.1:10001;
+    server 127.0.0.1:10002;
+    server 127.0.0.1:10003;
+}
 
 upstream helloworld_service {
     zone helloworld_service 64k;

diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -4,10 +4,8 @@ log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote
                                   '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
 
 map $upstream_trailer_grpc_status $grpc_status {
-    default $upstream_trailer_grpc_status; # We normally expect to receive 
-                                           # grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else use the header, regardless of 
-                                           # who generated it
+    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
+    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
 }
 
 server {

diff --git a/grpc_health_checkNEW.conf b/grpc_health_checkNEW.conf
@@ -0,0 +1,40 @@
+log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
+                                  '"uri":"$uri","http-status":$status,'
+                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
+                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
+
+map $upstream_trailer_grpc_status $grpc_status {
+    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
+    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
+}
+
+server {
+    listen 50051 http2; # Plaintext
+
+    # Routing
+    location /routeguide. {
+        grpc_pass grpc://routeguide_service;
+        health_check type=grpc grpc_status=12; # 12=unimplemented
+    }
+    location /helloworld. {
+        grpc_pass grpc://helloworld_service;
+        health_check type=grpc grpc_status=12; # 12=unimplemented
+    }
+}
+
+# Backend gRPC servers
+#
+upstream routeguide_service {
+    zone routeguide_service 64k;
+    server 127.0.0.1:10001;
+    server 127.0.0.1:10002;
+    server 127.0.0.1:10003;
+}
+
+upstream helloworld_service {
+    zone helloworld_service 64k;
+    server 127.0.0.1:20001;
+    server 127.0.0.1:20002;
+}
+
+# vim: syntax=nginx
diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -10,7 +10,7 @@ server {
     location @helloworld_health {
         health_check mandatory uri=/nginx.health/check match=grpc_unknown;
         grpc_set_header Content-Type application/grpc;
-        grpc_set_header TE Trailers;
+        grpc_set_header TE trailers;
         grpc_pass grpc://helloworld_service;
     }
 }

diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -15,11 +15,17 @@ server {
     }
 }
 
-# Specify the expected response from the health_check directive 
-# (it assumes that the gRPC service responds to GET requests)
+# Specify the expected response to the health check (this 
+# assumes that the gRPC service responds to GET requests)
 match grpc_unknown {
     header Content-Type = application/grpc;
     header grpc-status = 12; # unimplemented / unknown method
 } 
 
+upstream helloworld_service {
+    zone helloworld_service 64k;
+    server 127.0.0.1:20001;
+    server 127.0.0.1:20002;
+}
+
 # vim: syntax=nginx
diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -15,8 +15,8 @@ server {
     }
 }
 
-# This is the expected response from the health_check directive requires that 
-# the gRPC service responds to GET requests)
+# Specify the expected response from the health_check directive 
+# (it assumes that the gRPC service responds to GET requests)
 match grpc_unknown {
     header Content-Type = application/grpc;
     header grpc-status = 12; # unimplemented / unknown method

diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -11,7 +11,7 @@ map $upstream_trailer_grpc_status $grpc_status {
 }
 
 server {
-    listen 50051 http2; # Comment this line in production to disable plaintext port
+    listen 50051 http2; # In production, comment out to disable plaintext port
     listen 443   http2 ssl;
     server_name  grpc.example.com;
     access_log   /var/log/nginx/grpc_log.json grpc_json;

diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -11,7 +11,7 @@ map $upstream_trailer_grpc_status $grpc_status {
 }
 
 server {
-    listen 50051 http2; # Remove plaintext port for production use
+    listen 50051 http2; # Comment this line in production to disable plaintext port
     listen 443   http2 ssl;
     server_name  grpc.example.com;
     access_log   /var/log/nginx/grpc_log.json grpc_json;

diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -14,7 +14,7 @@ server {
         grpc_pass grpc://helloworld_service;
     }
 }
-12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
 # This is the expected response from the health_check directive requires that 
 # the gRPC service responds to GET requests)
 match grpc_unknown {

diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -4,8 +4,10 @@ log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote
                                   '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
 
 map $upstream_trailer_grpc_status $grpc_status {
-    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
+    default $upstream_trailer_grpc_status; # We normally expect to receive 
+                                           # grpc-status as a trailer
+    ''      $sent_http_grpc_status;        # Else use the header, regardless of 
+                                           # who generated it
 }
 
 server {

diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -14,9 +14,9 @@ server {
         grpc_pass grpc://helloworld_service;
     }
 }
-
-# This is the expected response from the health_check directive
-# (requires that the gRPC service responds to GET requests)
+12345678901234567890123456789012345678901234567890123456789012345678901234567890
+# This is the expected response from the health_check directive requires that 
+# the gRPC service responds to GET requests)
 match grpc_unknown {
     header Content-Type = application/grpc;
     header grpc-status = 12; # unimplemented / unknown method

diff --git a/errors.grpc_conf b/errors.grpc_conf
@@ -0,0 +1,73 @@
+# Standard HTTP-to-gRPC status code mappings
+# Ref: https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md
+#
+error_page 400 = @grpc_internal;
+error_page 401 = @grpc_unauthenticated;
+error_page 403 = @grpc_permission_denied;
+error_page 404 = @grpc_unimplemented;
+error_page 429 = @grpc_unavailable;
+error_page 502 = @grpc_unavailable;
+error_page 503 = @grpc_unavailable;
+error_page 504 = @grpc_unavailable;
+
+# NGINX-to-gRPC status code mappings
+# Ref: https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
+#
+error_page 405 = @grpc_internal; # Method not allowed
+error_page 408 = @grpc_deadline_exceeded; # Request timeout
+error_page 413 = @grpc_resource_exhausted; # Payload too large
+error_page 414 = @grpc_resource_exhausted; # Request URI too large
+error_page 415 = @grpc_internal; # Unsupported media type;
+error_page 426 = @grpc_internal; # HTTP request was sent to HTTPS port
+error_page 495 = @grpc_unauthenticated; # Client certificate authentication error
+error_page 496 = @grpc_unauthenticated; # Client certificate not presented
+error_page 497 = @grpc_internal; # HTTP request was sent to mutual TLS port
+error_page 500 = @grpc_internal; # Server error
+error_page 501 = @grpc_internal; # Not implemented
+
+# gRPC error responses
+# Ref: https://github.com/grpc/grpc-go/blob/master/codes/codes.go
+#
+location @grpc_deadline_exceeded {
+    add_header grpc-status 4;
+    add_header grpc-message 'deadline exceeded';
+    return 204;
+}
+
+location @grpc_permission_denied {
+    add_header grpc-status 7;
+    add_header grpc-message 'permission denied';
+    return 204;
+}
+
+location @grpc_resource_exhausted {
+    add_header grpc-status 8;
+    add_header grpc-message 'resource exhausted';
+    return 204;
+}
+
+location @grpc_unimplemented {
+    add_header grpc-status 12;
+    add_header grpc-message unimplemented;
+    return 204;
+}
+
+location @grpc_internal {
+    add_header grpc-status 13;
+    add_header grpc-message 'internal error';
+    return 204;
+}
+
+location @grpc_unavailable {
+    add_header grpc-status 14;
+    add_header grpc-message unavailable;
+    return 204;
+}
+
+location @grpc_unauthenticated {
+    add_header grpc-status 16;
+    add_header grpc-message unauthenticated;
+    return 204;
+}
+
+# vim: syntax=nginx
diff --git a/grpc_auth_jwt.conf b/grpc_auth_jwt.conf
@@ -0,0 +1,7 @@
+location /routeguide. {
+    auth_jwt realm=routeguide token=$http_auth_token;
+    auth_jwt_key_file my_idp.jwk;
+    grpc_pass grpc://routeguide_service;
+}
+
+# vim: syntax=nginx
diff --git a/grpc_health_check.conf b/grpc_health_check.conf
@@ -0,0 +1,25 @@
+server {
+    listen 50051 http2; # Plaintext
+
+    # Routing
+    location /helloworld. {
+        grpc_pass grpc://helloworld_service;
+    }
+
+    # Health-check the helloworld containers
+    location @helloworld_health {
+        health_check mandatory uri=/nginx.health/check match=grpc_unknown;
+        grpc_set_header Content-Type application/grpc;
+        grpc_set_header TE Trailers;
+        grpc_pass grpc://helloworld_service;
+    }
+}
+
+# This is the expected response from the health_check directive
+# (requires that the gRPC service responds to GET requests)
+match grpc_unknown {
+    header Content-Type = application/grpc;
+    header grpc-status = 12; # unimplemented / unknown method
+} 
+
+# vim: syntax=nginx
diff --git a/grpc_precise_routing.conf b/grpc_precise_routing.conf
@@ -0,0 +1,11 @@
+# Service-level routing
+location /routeguide.RouteGuide/ {
+    grpc_pass grpc://routeguide_service_default;
+}
+
+# Method-level routing
+location = /routeguide.RouteGuide/RouteChat {
+    grpc_pass grpc://routeguide_service_streaming;
+}
+
+# vim: syntax=nginx
diff --git a/helloworld.Dockerfile b/helloworld.Dockerfile
@@ -0,0 +1,9 @@
+# This Dockerfile runs the helloworld server from
+# https://grpc.io/docs/quickstart/go.html
+
+FROM golang
+RUN go get -u google.golang.org/grpc
+WORKDIR $GOPATH/src/google.golang.org/grpc/examples/helloworld
+
+EXPOSE 50051
+CMD ["go", "run", "greeter_server/main.go"]
diff --git a/routeguide.Dockerfile b/routeguide.Dockerfile
@@ -0,0 +1,10 @@
+# This Dockerfile runs the RouteGuide server from
+# https://grpc.io/docs/tutorials/basic/python.html
+
+FROM python
+RUN pip install grpcio-tools 
+RUN git clone -b v1.14.x https://github.com/grpc/grpc
+WORKDIR grpc/examples/python/route_guide
+
+EXPOSE 50051
+CMD ["python", "route_guide_server.py"]
diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -5,7 +5,7 @@ log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote
 
 map $upstream_trailer_grpc_status $grpc_status {
     default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
-    ''      $sent_http_grpc_status;        # Else send the header, regardless of who generated it
+    ''      $sent_http_grpc_status;        # Else use the header, regardless of who generated it
 }
 
 server {
@@ -21,5 +21,33 @@ server {
     ssl_session_timeout  5m;
     ssl_ciphers          HIGH:!aNULL:!MD5;
     ssl_protocols        TLSv1.2 TLSv1.3;
-
+
+    # Routing
+    location /routeguide. {
+        grpc_pass grpc://routeguide_service;
+    }
+    location /helloworld. {
+        grpc_pass grpc://helloworld_service;
+    }
+
+    # Error responses
+    include conf.d/errors.grpc_conf; # gRPC-compliant error responses
+    default_type application/grpc;   # Ensure gRPC for all error responses
+}
+
+# Backend gRPC servers
+#
+upstream routeguide_service {
+    zone routeguide_service 64k;
+    server 127.0.0.1:10001;
+    server 127.0.0.1:10002;
+    server 127.0.0.1:10003;
+}
+
+upstream helloworld_service {
+    zone helloworld_service 64k;
+    server 127.0.0.1:20001;
+    server 127.0.0.1:20002;
+}
+
 # vim: syntax=nginx
diff --git a/grpc_gateway.conf b/grpc_gateway.conf
@@ -0,0 +1,25 @@
+log_format grpc_json escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr",'
+                                  '"uri":"$uri","http-status":$status,'
+                                  '"grpc-status":$grpc_status,"upstream":"$upstream_addr"'
+                                  '"rx-bytes":$request_length,"tx-bytes":$bytes_sent}';
+
+map $upstream_trailer_grpc_status $grpc_status {
+    default $upstream_trailer_grpc_status; # We normally expect to receive grpc-status as a trailer
+    ''      $sent_http_grpc_status;        # Else send the header, regardless of who generated it
+}
+
+server {
+    listen 50051 http2; # Remove plaintext port for production use
+    listen 443   http2 ssl;
+    server_name  grpc.example.com;
+    access_log   /var/log/nginx/grpc_log.json grpc_json;
+
+    # TLS config
+    ssl_certificate      /etc/ssl/certs/grpc.example.com.crt;
+    ssl_certificate_key  /etc/ssl/private/grpc.example.com.key;
+    ssl_session_cache    shared:SSL:10m;
+    ssl_session_timeout  5m;
+    ssl_ciphers          HIGH:!aNULL:!MD5;
+    ssl_protocols        TLSv1.2 TLSv1.3;
+
+# vim: syntax=nginx