Jared Kirschner 166d7a39e8
docs: consistently name Consul service mesh (#17222)
Remove outdated usage of "Consul Connect" instead of Consul service mesh.

The connect subsystem in Consul provides Consul's service mesh capabilities.
However, the term "Consul Connect" should not be used as an alternative to
the name "Consul service mesh".
2023-05-05 13:41:40 -04:00

99 lines
3.9 KiB
Plaintext

---
layout: commands
page_title: 'Commands: Connect Proxy'
description: >
The connect proxy subcommand is used to run the built-in mTLS proxy for
Consul service mesh.
---
# Consul Connect Proxy
Command: `consul connect proxy`
The connect proxy command is used to run Consul's built-in mTLS proxy for
use with Consul service mesh. This can be used in production to enable a mesh-unaware
application to accept and establish mesh-based connections. This proxy
can also be used in development to connect to mesh-enabled services.
## Usage
Usage: `consul connect proxy [options]`
#### Command Options
- `-sidecar-for` - The _ID_ (not name if they differ) of the service instance
this proxy will represent. The target service doesn't need to exist on the
local agent yet but a [sidecar proxy
registration](/consul/docs/connect/registration/service-registration) with
`proxy.destination_service_id` equal to the passed value must be present. If
multiple proxy registrations targeting the same local service instance are
present the command will error and `-proxy-id` should be used instead.
This can also be specified via the `CONNECT_SIDECAR_FOR` environment variable.
- `-proxy-id` - The [proxy
service](/consul/docs/connect/registration/service-registration) ID on the
local agent. This must already be present on the local agent. This option
can also be specified via the `CONNECT_PROXY_ID` environment variable.
- `-log-level` - Specifies the log level.
- `-pprof-addr` - Enable debugging via pprof. Providing a host:port (or just ':port')
enables profiling HTTP endpoints on that address.
- `-service` - Name of the service this proxy is representing. This service
doesn't need to actually exist in the Consul catalog, but proper ACL
permissions (`service:write`) are required. This and the remaining options can
be used to setup a proxy that is not registered already with local config
[useful for development](/consul/docs/connect/dev).
- `-upstream` - Upstream service to support connecting to. The format should be
'name:addr', such as 'db:8181'. This will make 'db' available on port 8181.
When a regular TCP connection is made to port 8181, the proxy will service
discover "db" and establish a Consul service mesh mTLS connection identifying as
the `-service` value. This flag can be repeated multiple times.
- `-listen` - Address to listen for inbound connections to the proxied service.
Must be specified with -service and -service-addr. If this isn't specified,
an inbound listener is not started.
- `-service-addr` - Address of the local service to proxy. Required for
`-listen`.
- `-register` - Self-register with the local Consul agent, making this
proxy available as mesh-capable service in the catalog. This is only
useful with `-listen`.
- `-register-id` - Optional ID suffix for the service when `-register` is set to
disambiguate the service ID. By default the service ID is `<service>-proxy`
where `<service>` is the `-service` value. In most cases it is now preferable
to use [`consul services register`](/consul/commands/services/register) to
register a fully configured proxy instance rather than specify config and
registration via this command.
#### API Options
@include 'http_api_options_client.mdx'
@include 'http_api_options_server.mdx'
## Examples
The example below shows how to start a local proxy for establishing outbound
connections to "db" representing the frontend service. Once running, any
process that creates a TCP connection to the specified port (8181) will
establish a mutual TLS connection to "db" identified as "frontend".
```shell-session
$ consul connect proxy -service frontend -upstream db:8181
```
The next example starts a local proxy that also accepts inbound connections
on port 8443, authorizes the connection, then proxies it to port 8080:
```shell-session
$ consul connect proxy \
-service frontend \
-service-addr 127.0.0.1:8080 \
-listen ':8443'
```