What are the advantages/disadvantages? (gRPC vs TCP/IP vs HTTPS)

I have been wondering for a while, what are the advantages/disadvantages between the various ways of connecting to a vault?

Do any of the connection methods come with any feature differences (security, functionality, etc) or perhaps even major speed/latency improvements.

I have not had the option to test gRPC yet as I am yet to understand how to set it up to pass through our pfSense firewall with haProxy :D

So let us find out, which way should clients really be connecting to the server!

Parents Reply Children
  • Could you share the config used ?

    I've tried this on a local computer inside the network with a self signed certificate as a POC, but it's not working:

        upstream APP01 {
             server app01.domain.local:7766;
        }

        server {
            listen       8443 ssl http2;
            server_name  workstation.domain.local;

            ssl_certificate      workstation.crt;
            ssl_certificate_key  workstation.key;

    #        ssl_session_cache    shared:SSL:1m;
    #        ssl_session_timeout  5m;

    #        ssl_ciphers  HIGH:!aNULL:!MD5;
    #        ssl_prefer_server_ciphers  on;

            location / {
                grpc_pass grpcs://APP01;
            }
        }

    Thanks !!

    Note. direct connection to app01.domain.local port 7766 protocol gRPC is working from M-Files Desktop.

    But if I change to workstation.domain.local port 8443 protocol gRPC, it  fails.

  • Just in case someone would need it too, reverse proxy configuration for nginx should be:

    http {
        upstream APP01 {
             server app01.domain.local:7766;
             server app02.domain.local:7766;
        }

    upstream APP03 {
             server app03.domain.local:7766;
        }

        server {
            listen       8443 ssl;
            http2 on;
            server_name  workstation.domain.local;

            ssl_certificate      workstation.crt;
            ssl_certificate_key  workstation.key;

    #        ssl_session_cache    shared:SSL:1m;
    #        ssl_session_timeout  5m;

    #        ssl_ciphers  HIGH:!aNULL:!MD5;
    #        ssl_prefer_server_ciphers  on;

            location / {
                grpc_pass grpcs://APP01;
            }
        }
    }

    In case of a selfsigned certificate for workstation, you need to import it in the trusted root of the client.
    In case of a certificate trusted by an internet authority, you need to pack the intermediate certificate in the .crt

    directive ssl define connectiion from client to proxy (remove ssl for not encrypted)

    protocol grpcs:// define connection between nginx and m-files server (in that case a certificate should be used in M-Files server), if you don't want or need encryption between nginx and M-Files server use grpc://

    Note. mfiles client and nginx doesn't care at all if mfiles server is a self signed certificate, so you don't need to import it anywhere.