Mike Morris 65be58703c
connect: remove managed proxies (#6220)
* connect: remove managed proxies implementation and all supporting config options and structs

* connect: remove deprecated ProxyDestination

* command: remove CONNECT_PROXY_TOKEN env var

* agent: remove entire proxyprocess proxy manager

* test: remove all managed proxy tests

* test: remove irrelevant managed proxy note from TestService_ServerTLSConfig

* test: update ContentHash to reflect managed proxy removal

* test: remove deprecated ProxyDestination test

* telemetry: remove managed proxy note

* http: remove /v1/agent/connect/proxy endpoint

* ci: remove deprecated test exclusion

* website: update managed proxies deprecation page to note removal

* website: remove managed proxy configuration API docs

* website: remove managed proxy note from built-in proxy config

* website: add note on removing proxy subdirectory of data_dir
2019-08-09 15:19:30 -04:00

4.6 KiB

layout page_title sidebar_current description
docs Connect - Built-in Proxy docs-connect-proxies-built-in Consul Connect comes with a built-in proxy for testing and development.

Built-In Proxy Options

Consul comes with a built-in L4 proxy for testing and development with Consul Connect.

Below is a complete example of all the configuration options available for the built-in proxy.

~> Note: Although you can configure the built-in proxy using configuration entries, it doesn't have the L7 capability necessary for the observability features released with Consul 1.5.

{
  "service": {
    ...
    "connect": {
      "proxy": {
        "config": {
          "bind_address": "0.0.0.0",
          "bind_port": 20000,
          "tcp_check_address": "192.168.0.1",
          "disable_tcp_check": false,
          "local_service_address": "127.0.0.1:1234",
          "local_connect_timeout_ms": 1000,
          "handshake_timeout_ms": 10000,
          "upstreams": [...]
        },
        "upstreams": [
          {
            ...
            "config": {
              "connect_timeout_ms": 1000
            }
          }
        ]
      }
    }
  }
}

Proxy Config Key Reference

All fields are optional with a sane default.

  • bind_address - The address the proxy will bind it's public mTLS listener to. It defaults to the same address the agent binds to.

  • bind_port - The port the proxy will bind it's public mTLS listener to. If not provided, the agent will attempt to assign one from its configured proxy port range if available. By default the range is [20000, 20255] and the port is selected at random from that range.

  • tcp_check_address - The address the agent will run a TCP health check against. By default this is the same as the proxy's bind address except if the bind_address is 0.0.0.0 or [::] in which case this defaults to 127.0.0.1 and assumes the agent can dial the proxy over loopback. For more complex configurations where agent and proxy communicate over a bridge for example, this configuration can be used to specify a different address (but not port) for the agent to use for health checks if it can't talk to the proxy over localhost or it's publicly advertised port. The check always uses the same port that the proxy is bound to.

  • disable_tcp_check - If true, this disables a TCP check being setup for the proxy. Default is false.

  • local_service_address - The [address]:port that the proxy should use to connect to the local application instance. By default it assumes 127.0.0.1 as the address and takes the port from the service definition's port field. Note that allowing the application to listen on any non-loopback address may expose it externally and bypass Connect's access enforcement. It may be useful though to allow non-standard loopback addresses or where an alternative known-private IP is available for example when using internal networking between containers.

  • local_connect_timeout_ms - The number of milliseconds the proxy will wait to establish a connection to the local application before giving up. Defaults to 1000 or 1 second.

  • handshake_timeout_ms - The number of milliseconds the proxy will wait for incoming mTLS connections to complete the TLS handshake. Defaults to 10000 or 10 seconds.

  • upstreams - Deprecated Upstreams are now specified in the connect.proxy definition. Upstreams specified in the opaque config map here will continue to work for compatibility but it's strongly recommended that you move to using the higher level upstream configuration.

Proxy Upstream Config Key Reference

All fields are optional with a sane default.

  • connect_timeout_ms - The number of milliseconds the proxy will wait to establish a TLS connection to the discovered upstream instance before giving up. Defaults to 10000 or 10 seconds.