google-app-engine - GCP 可扩展服务代理在转发请求时遇到错误

Question

我有以下设置:

1. Application (Java microservice) deployed on app engine.
2. Custom domain mapped to hit this service:.
   myfavmicroservice.project-amazing.dev.corporation.com
3. This endpoint is secured to require authentication by enabling IAP.

4. Configured ESP to intercept, authenticate and fulfill request to all 
   backend microservices (like above) with a common gateway endpoint.
5. Microservice is deployed using app.yaml.
6. ESP endpoint is configured using api.yaml (OpenAPI API Surface document)

这是我正在关注的教程:

https://cloud.google.com/endpoints/docs/openapi/get-started-app-engine-standard

app.yaml 部署微服务:

runtime: java11
entrypoint: java -jar tar/worker.jar
instance_class: F2 

service: myfavmicroservice

handlers:
- url: /.*
  script: this field is required, but ignored

描述微服务api面的ESP api.yaml是这样的

swagger: "2.0"
info:
  title: "My fav micro Service"
  description: "Serve my favorite microservice content"
  version: "1.0.0"

# This field will be replaced by the deploy_api.sh script.
host: microservice-system-gateway-5c4s43dedq-ue.a.run.app
schemes:
  - https
produces:
  - application/json

paths:
   /myfavmicroservice:
    get:
      summary: Greet the user
      operationId: hello
      description: "Get helloworld mainpage"
      x-google-backend:
        address: https://myfavmicroservice.project amazing.dev.corporation.com
       jwt_audience: .....
      responses:
        '200':
          description: "Success."
          schema:
            type: string
        '400':
          description: "The IATA code is invalid or missing."
          schema:
            type: string

但问题是每当我像这样向端点发出请求时:

GET 
https://microservice-system-gateway-5c4s43dedq-ue.a.run.app/myfavmicroservice

我总是收到网关 500 错误。在检查 ESP 日志后，我主要发现

1. SSL Handshake Error with Error no 40
2. upstream server temporarily disabled while SSL handshaking to upstream
3. request: "GET /metadatasvc-hello HTTP/1.1", upstream: "https://[3461:f4f0:5678:a13::63]:443/myfavmicroservice

所以 ESP 正确地拦截了我的请求，也许以正确的格式转发了请求，正如 #3 所证明的那样。但是我收到 SSL 错误。

为什么会出现此错误？

Answer 1

好的，问题解决了。为了 stackoverflow 社区的利益，我在这里发布了解决方案。

我认为如果您在 OpenAPI 配置(部署到 ESP)中使用映射到应用引擎的自定义域，SSL 握手将失败:

 x-google-backend:
        address: https://my-microservice.my-custom-domain.company.com

但是，如果您像这样使用微服务启动时由 APP Engine 分配的默认 URL，一切都很好:

x-google-backend:
        address: https://my-microservice.appspot.com

所以我想弄清楚如何在 ESP OpenAPI 配置中使用自定义域映射。不过现在，如果我这样做，则 SSL 代理在 ESP 中不起作用。