grpc-web icon indicating copy to clipboard operation
grpc-web copied to clipboard

Published 20 hours ago verified publisher icon improbable-eng

grpcwebproxy: Add flag to disable debug

Open innovate-invent opened this issue 3 years ago • 6 comments

Currently if I want to use http and not https (https is done upstream) I am forced to expose the debug endpoints to the user. I need to be able to disable this feature.

innovate-invent avatar Jul 18 '20 06:07 innovate-invent

That sounds like a reasonable idea, what can I do to help you contribute this?

johanbrandhorst avatar Jul 18 '20 08:07 johanbrandhorst

It might actually be better to just split the debug service from the http service, providing different ports for each. If the ports are specified the same then the services are merged. The same could be done for https. What do you think?

You could also go a step further and remove the --run_tls_server --run_http_server and future --run_debug_server parameters but simply checking if any of --server_http_debug_port --server_http_tls_port or --server_http_port == 0 to disable the service.

It would also be good to fit standards and assign port 80, 443, and 8080 for each of the respective services by default.

You should also look into merging all of the pending PRs if you want to encourage contributions. Having a list of old PRs looks like the project is dead or not accepting contributions.

innovate-invent avatar Jul 19 '20 03:07 innovate-invent

I don't think we want to remove any existing flags since it would break users, but I'd be happy to move the debug server to be controlled by a new flag and stop serving it automatically with the http server.

Most of the pending PRs are dependabot PRs, and unfortunately I don't know if anyone of the maintainers have the time to review them. @jonny-improbable and @MarcusLongmuir are trying to keep up with the JS/TS side of things the best they can but they're always very busy. We're happy to accept contributions.

johanbrandhorst avatar Jul 19 '20 12:07 johanbrandhorst

We're in the same situation and it is not fully clear what is the difference between normal (the not existing one) http and "debug" http ports? Is this just about those two additional endpoints?

Prometheus monitoring of proxied requests (/metrics on debug endpoint) Request (/debug/requests) and connection tracing endpoints (/debug/events)

Is there another (e.g. performance) impact?

smnbbrv avatar Feb 03 '21 22:02 smnbbrv

Had a brief look through the code and I'm not sure why it's called debug TBH, it's the main gRPC-Web entrypoint, it doesn't look to me like it should be called debug. You certainly don't want to turn it off.

johanbrandhorst avatar Feb 04 '21 11:02 johanbrandhorst

Well, if there is a way to disable those two endpoints

  • Prometheus monitoring of proxied requests (/metrics on debug endpoint)
  • Request (/debug/requests) and connection tracing endpoints (/debug/events)

then it is not a debug anymore I guess... Would be nice to have this option at least and maybe not name it debug port anymore in the docs... This is really disturbing to use a port with such a name in production :D

P.s. I assume this issue is more like a documentation / taking a decision rather than something to implement... Would be nice if this gets resolved :) I really like this idea to have no envoy as a separate docker container

smnbbrv avatar Feb 04 '21 14:02 smnbbrv