Enabling SSL for Cloud Endpoints

You may need to enable an SSL port for your deployed Endpoints service: for example, if you are using gRPC's transcoding feature and would like your service to receive both HTTP1.1 and gRPC requests on the same port. This document shows you how to enable the SSL port when deploying ESP with Google Container Engine and Kubernetes, or Google Compute Engine (with or without Docker). It assumes that you've already followed the tutorials for your chosen service type and environment, and know how to deploy without SSL.

SSL keys and certificates

To enable the SSL port so it can serve HTTPS requests, your SSL key and certificate files should have the filename nginx.key and nginx.crt, respectively. For testing, you can generate a self-signed nginx.key and nginx.cert using OpenSSL.

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
        -keyout ./nginx.key -out ./nginx.crt

Enabling SSL for Service Proxy on Kubernetes

To enable the SSL port for Endpoints Service Proxy on Kubernetes:

  1. Create a Kubernetes Secret with your SSL key and certificate:

      kubectl create secret generic nginx-ssl \
         --from-file=./nginx.crt --from-file=./nginx.key
  2. Edit the Kubernetes configuration files for example, esp_echo_gke.yaml, as shown in the following snippet:

          app: esp-echo
        - name: nginx-ssl
            secretName: nginx-ssl
        - name: esp
          image: gcr.io/endpoints-release/endpoints-runtime:1
          args: [
            "-p", "8080",
            "-S", "443",
            "-a", "",
            "-s", "SERVICE_NAME",
            "-v", "SERVICE_CONFIG_ID",
            - containerPort: 8080
            - containerPort: 443
          - mountPath: /etc/nginx/ssl
            name: nginx-ssl
            readOnly: true
        - name: echo
          image: gcr.io/endpoints-release/echo:latest
            - containerPort: 8081

    Note: The configuration sample displays the lines that need to be edited. To run Cloud Endpoints, the complete configuration file is required.

  3. Mount the Kubernetes secrets created above as volumes, following the directions in the Kubernetes Volumes page.

  4. Start up Extensible Service Proxy as described in the page Specifying Startup Options for Extensible Service Proxy, but make sure you add the startup flag --ssl_port to enable the SSL port. (Note that the default SSL port is 443.)

  5. Start the service with the updated Kubernetes configuration file using kubectl.

    kubectl create -f esp_echo_gke.yaml

Enabling SSL for Service Proxy on Google Compute Engine

To enable SSL on Compute Engine, first copy the key and crt files to your Compute Engine instance's /etc/nginx/ssl folder, as follows:

  1. Run the following command:

       gcloud compute copy-files nginx.* [INSTANCE-NAME]:
  2. Then SSH into the instance:

      gcloud compute ssh [INSTANCE-NAME]
  3. In the instance VM box, make the directory and copy in the files:

      sudo mkdir -p /etc/nginx/ssl
      sudo cp nginx.* /etc/nginx/ssl/

There are two ways to deploy the proxy in GCE; with or without using Docker. The SSL enabling step is different with each deployment.

Enabling SSL for Service Proxy with Docker

Follow the instructions for your service type to deploy with Docker. When you run the Extensible Service Proxy docker container, use this command:

 sudo docker run --name=esp -d -p 443:443 -v /etc/nginx/ssl:/etc/nginx/ssl --link=echo:echo gcr.io/endpoints-release/endpoints-runtime:1 -s [SERVICE_NAME] -v [SERVICE_VERSION] -a echo:8080 --ssl_port=443

There are 3 changes in this docker run command, compared to the non-SSL one:

  • Mount the folder with key and crt files to container by using -v
  • Use --ssl_port=443 to tell ESP to enable SSL on port 443
  • The port mapping flag -p is changed

Testing the SSL port

To make the testing easier, set the following environment variables:

  1. Set IP_ADDRESS to the IP address of the Compute Engine instance with the new SSL certificate.
    • Note that the two examples below assume that the server does not have a fully qualified domain name (FQDN) yet, and therefore the implicit assumption is that ${IP_ADDRESS} has been used as the FQDN when generating the self-signed certificate above. When the server gets a FQDN, use the FQDN to generate the certificate and then in the two examples below replace ${IP_ADDRESS} with the FQDN.
  2. Set ENDPOINTS_KEY to a valid API key.

Once the SSL port is enabled, you can use HTTPS to send requests to the Extensible Service Proxy. If your certificate is self-signed, either use -k to turn on the insecure option in curl:

curl -k -d '{"message":"hello world"}' -H "content-type:application/json" https://${IP_ADDRESS}:443/echo?key=${ENDPOINTS_KEY}

Or, generate the certificate in pem format and use --cacert option to use the self-signed certificate in curl:

openssl x509 -in nginx.crt -out nginx.pem -outform PEM
curl --cacert "./nginx.pem" -d '{"message":"hello world"}' -H "content-type:application/json" https://${IP_ADDRESS}:443/echo?key=${ENDPOINTS_KEY}

Send feedback about...

Cloud Endpoints with gRPC