grpc-web
grpc-web copied to clipboard
grpcwebproxy: Add flag to disable debug
Currently if I want to use http and not https (https is done upstream) I am forced to expose the debug endpoints to the user. I need to be able to disable this feature.
That sounds like a reasonable idea, what can I do to help you contribute this?
It might actually be better to just split the debug service from the http service, providing different ports for each. If the ports are specified the same then the services are merged. The same could be done for https. What do you think?
You could also go a step further and remove the --run_tls_server --run_http_server and future --run_debug_server parameters but simply checking if any of --server_http_debug_port --server_http_tls_port or --server_http_port == 0 to disable the service.
It would also be good to fit standards and assign port 80, 443, and 8080 for each of the respective services by default.
You should also look into merging all of the pending PRs if you want to encourage contributions. Having a list of old PRs looks like the project is dead or not accepting contributions.
I don't think we want to remove any existing flags since it would break users, but I'd be happy to move the debug server to be controlled by a new flag and stop serving it automatically with the http server.
Most of the pending PRs are dependabot PRs, and unfortunately I don't know if anyone of the maintainers have the time to review them. @jonny-improbable and @MarcusLongmuir are trying to keep up with the JS/TS side of things the best they can but they're always very busy. We're happy to accept contributions.
We're in the same situation and it is not fully clear what is the difference between normal (the not existing one) http and "debug" http ports? Is this just about those two additional endpoints?
Prometheus monitoring of proxied requests (/metrics on debug endpoint) Request (/debug/requests) and connection tracing endpoints (/debug/events)
Is there another (e.g. performance) impact?
Had a brief look through the code and I'm not sure why it's called debug
TBH, it's the main gRPC-Web entrypoint, it doesn't look to me like it should be called debug
. You certainly don't want to turn it off.
Well, if there is a way to disable those two endpoints
- Prometheus monitoring of proxied requests (/metrics on debug endpoint)
- Request (/debug/requests) and connection tracing endpoints (/debug/events)
then it is not a debug anymore I guess... Would be nice to have this option at least and maybe not name it debug port anymore in the docs... This is really disturbing to use a port with such a name in production :D
P.s. I assume this issue is more like a documentation / taking a decision rather than something to implement... Would be nice if this gets resolved :) I really like this idea to have no envoy as a separate docker container