Aapeli Vuorinen

gRPC-Web through Envoy with nginx

This is a tutorial (and a memo for me) on how to set up gRPC-Web to proxy through nginx into Envoy and from there into a gRPC server. With TLS.

This is on Ubuntu 20.04. Update your package lists to start:

sudo apt-get update

I assume you have a domain pointed to your box, and from now I’ll refer to it as $DOMAIN.

Create basic gRPC service definition

// sample.proto
syntax = "proto3";

package sample;

service SampleRPC {
  rpc Ping(Msg) returns (Msg);

message Msg {
  int64 nonce = 1;

Take note of the package name, sample, and the service name, SampleRPC.

Install gRPC and compile service

Get Python 3 and pip:

sudo apt-get install python3 python3-pip

You can do this in a virtualenv if you wish, and it works:

pip3 install grpcio grpcio-tools
python3 -m grpc.tools.protoc -I. --python_out=. --grpc_python_out=. sample.proto

This will generate sample_pb2.py and sample_pb2_grpc.py.

Create a simple Python gRPC server

Create a server implementation, note the names from the section above.

# server.py
from concurrent import futures

import grpc
import sample_pb2, sample_pb2_grpc

class Servicer(sample_pb2_grpc.SampleRPCServicer):
    def Ping(self, request, context):
        print(f"Received request with nonce={request.nonce}")
        return sample_pb2.Msg(nonce=request.nonce)

server = grpc.server(futures.ThreadPoolExecutor(2))
sample_pb2_grpc.add_SampleRPCServicer_to_server(Servicer(), server)

You can run it with python3 server.py.

Install Docker

Instructions here, or short version:

sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
# optional, allows running docker without sudo
sudo usermod -aG docker ubuntu

You need to log out and back in for the last command to take effect.

Set up Envoy

Note: this config is using the outdated Envoy v2 config instead of the new v3 config, see the Envoy JSON to gRPC transcoding post post for a newer config sample.

Create an envoy.yaml:

# envoy.yaml
  access_log_path: /tmp/admin_access.log
    socket_address: { address:, port_value: 9901 }

  - name: listener_0
      socket_address: { address:, port_value: 5000 }
    - filters:
      - name: envoy.filters.network.http_connection_manager
          codec_type: auto
          stat_prefix: ingress_http
            name: local_route
            - name: local_service
              domains: ["*"]
              - match: { prefix: "/" }
                  cluster: sample_cluster
                  max_grpc_timeout: 0s
                - prefix: "*"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
                max_age: "1728000"
                expose_headers: grpc-status,grpc-message
          - name: envoy.filters.http.grpc_web
          - name: envoy.filters.http.cors
          - name: envoy.filters.http.router
  - name: sample_cluster
    connect_timeout: 0.25s
    type: logical_dns
    http2_protocol_options: {}
    lb_policy: round_robin
    hosts: [{ socket_address: { address: localhost, port_value: 50051 }}]

Then a Dockerfile:

# Dockerfile
FROM envoyproxy/envoy:v1.14.3

COPY ./envoy.yaml /etc/envoy/envoy.yaml


CMD /usr/local/bin/envoy -c /etc/envoy/envoy.yaml

Build the container:

docker build -t sample/envoy .

Run it:

docker run -d --net=host sample/envoy

This will launch in the background, forwarding ports 5000 (where Envoy is listening for gRPC-Web traffic) and 9901 (Envoy admin page) to your box. When you deploy this, it’s probably good to disable/block port 9901, otherwise anyone can go poke at your proxy settings.

Install nginx and get a TLS cert

Get nginx:

sudo apt-get install nginx

You need a domain name, Let’s Encrypt won’t hand your IP address a cert.

sudo apt-get install certbot python3-certbot-nginx
sudo certbot --nginx --redirect -n -d $DOMAIN --agree-tos -m certs@$DOMAIN

The --redirect flag causes certbot to set up a redirect from HTTP to HTTPS. -n means non-interactive, -m is the email to receive notifications to.

Install Node and Yarn

Instructions here, short version (this will also install Node):

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update
sudo apt install yarn

Install protoc with the JavaScript plugin and protoc-gen-grpc-web

Okay, so apparently the Python stuff doesn’t come with the JavaScript stuff, so here we go:

export GRPC_WEB_VERSION=1.2.0
wget -O protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/$GRPC_WEB_VERSION/protoc-gen-grpc-web-$GRPC_WEB_VERSION-linux-x86_64
chmod +x protoc-gen-grpc-web
export PROTOC_VERSION=3.12.3
wget -O protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v$PROTOC_VERSION/protoc-$PROTOC_VERSION-linux-x86_64.zip
sudo apt-get install unzip
unzip protoc.zip

Then generate the JavaScript code:

./bin/protoc -I. --js_out="import_style=commonjs,binary:." --plugin=protoc-gen-grpc-web=./protoc-gen-grpc-web --grpc-web_out="import_style=commonjs,mode=grpcweb:." sample.proto

Creating a client

I’m not a frontend guy, but here’s Aapeli’s Quick Intro to the JavaScript World™. Set up a basic yarn environment:

yarn add webpack webpack-cli grpc-web google-protobuf

You need webpack as gRPC-Web has no way of generating code without imports.

Now create a basic script:

// index.js
const { Msg } = require("./sample_pb.js")
const { SampleRPCPromiseClient } = require("./sample_grpc_web_pb.js")

const client = new SampleRPCPromiseClient("https://$DOMAIN/rpc")
const req = new Msg()
client.ping(req, null).then(res => {
    document.getElementById("out").innerHTML = "Got response from server, nonce: " + res.getNonce()

Note the $DOMAIN! Then create a page:

<!-- index.html -->
<!DOCTYPE html>
        <meta charset="UTF-8">
        <script src="dist/main.js"></script>
        <div id="out">Pinging server...</div>

Finally compile it:

yarn webpack index.js

Now drop it somewhere where it can be served.

Configure nginx

These edits go in /etc/nginx/sites-enabled/default. Add the following section to your server:

# /etc/nginx/sites-enabled/default, server section
location /rpc/ {
    proxy_http_version 1.1;

Then restart nginx:

sudo systemctl restart nginx

Serving the web stuff from your home folder

To serve your home folder with nginx, modify the root directive in the server section:

# /etc/nginx/sites-enabled/default, server section
root /home/ubuntu;

Note that this is probably not a very bright idea in the long run.

Also responding to vanilla gRPC queries

If you also want to service vanilla gRPC queries, you need to do two things. Add http2 to the listen directives like this:

# /etc/nginx/sites-enabled/default, server section
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot

Then add a section in that same server block:

# /etc/nginx/sites-enabled/default, same server section as above
location /sample. {

Note the sample which is your protobuf package name.

Restart nginx again:

sudo systemctl restart nginx

Testing it out

Make sure the Python server, the Envoy proxy, and nginx are all running.

Now if you visit that site, the page body should change to something like Got response from server, nonce: 42.

Other bits

If you enabled vanilla gRPC queries, then this will connect through nginx where TLS is terminated directly to the Python server, should work from the internet:

# secure_client.py
import grpc
import sample_pb2, sample_pb2_grpc

stub = sample_pb2_grpc.SampleRPCStub(grpc.secure_channel("$DOMAIN:443", credentials=grpc.ssl_channel_credentials()))

response = stub.Ping(sample_pb2.Msg(nonce=5))
print(f"Received response from server with nonce={response.nonce}")

This will connect directly to the Python server and will only succeed from your server box:

# insecure_client.py
import grpc
import sample_pb2, sample_pb2_grpc

stub = sample_pb2_grpc.SampleRPCStub(grpc.insecure_channel(""))

response = stub.Ping(sample_pb2.Msg(nonce=5))
print(f"Received response from server with nonce={response.nonce}")