Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure. https://www.consul.io
Go to file
Andy Lindeman fb0a990e4d
agent: rewrite checks with proxy address, not local service address (#7518)
Exposing checks is supposed to allow a Consul agent bound to a different
IP address (e.g., in a different Kubernetes pod) to access healthchecks
through the proxy while the underlying service binds to localhost. This
is an important security feature that makes sure no external traffic
reaches the service except through the proxy.

However, as far as I can tell, this is subtly broken in the case where
the Consul agent cannot reach the proxy over localhost.

If a proxy is configured with: `{ LocalServiceAddress: "127.0.0.1",
Checks: true }`, as is typical with a sidecar proxy, the Consul checks
are currently rewritten to `127.0.0.1:<random port>`. A Consul agent
that does not share the loopback address cannot reach this address. Just
to make sure I was not misunderstanding, I tried configuring the proxy
with `{ LocalServiceAddress: "<pod ip>", Checks: true }`. In this case,
while the checks are rewritten as expected and the agent can reach the
dynamic port, the proxy can no longer reach its backend because the
traffic is no longer on the loopback interface.

I think rewriting the checks to use `proxy.Address`, the proxy's own
address, is more correct in this case. That is the IP where the proxy
can be reached, both by other proxies and by a Consul agent running on
a different IP. The local service address should continue to use
`127.0.0.1` in most cases.
2020-04-02 09:35:43 +02:00
.circleci ci: Fix working_directory for go mod download 2020-04-01 17:02:23 -04:00
.github ci: Upgrade Go to 1.14.1 2020-03-24 15:55:47 -04:00
acl Add managed service provider token (#7218) 2020-02-04 13:58:56 -07:00
agent agent: rewrite checks with proxy address, not local service address (#7518) 2020-04-02 09:35:43 +02:00
api tests: fixed unstable test TestAPI_AgentMonitor (#7561) 2020-04-01 09:47:57 +02:00
bench Gets benchmarks running again and does a rough pass for 0.7.1. 2016-11-29 13:02:26 -08:00
build-support ci: Upgrade Go to 1.14.1 2020-03-24 15:55:47 -04:00
command Merge pull request #7562 from hashicorp/dnephin/remove-tname-from-name 2020-04-01 11:48:45 -04:00
connect Convert the remaining calls to NewTestAgentWithFields 2020-03-31 17:14:55 -04:00
contributing Add contributing dir with Config file checklist (#7017) 2020-01-14 12:24:03 +00:00
demo demo: Added udp port forwarding 2018-05-30 13:56:56 +09:00
ipaddr Ensure Consul is IPv6 compliant (#5468) 2019-06-04 10:02:38 -04:00
lib wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
logging wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
sdk [BUGFIX] Fix race condition in freeport (#7567) 2020-04-01 13:14:33 -05:00
sentinel Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
service_os Changes made : 2018-06-28 21:18:14 -04:00
snapshot fix use of hclog logger (#7264) 2020-02-12 09:37:16 -06:00
terraform terraform: remove modules in repo (#5085) 2019-04-04 16:31:43 -07:00
test tests: fixed bats warning (#7544) 2020-03-31 22:29:27 +02:00
testrpc connect: check if intermediate cert needs to be renewed. (#6835) 2020-01-17 23:27:13 +01:00
tlsutil tls: remove old ciphers (#7282) 2020-03-10 21:44:26 +01:00
types Removes remoteConsuls in favor of the new router. 2017-03-16 16:42:19 -07:00
ui-v2 ui: Fix token duplication bug (#7552) 2020-04-01 09:55:20 +01:00
vendor cli: send requested help text to stdout 2020-03-26 15:27:34 -04:00
version Putting source back into Dev Mode 2020-02-11 11:54:35 -05:00
website Merge pull request #7427 from hashicorp/dnephin/website-fix-errrors-in-upgrade-docs 2020-04-01 11:36:53 -04:00
.dockerignore Update the scripting 2018-06-14 21:42:47 -04:00
.gitignore .gitignore: cut IDE-specific entries, cleanup (#7083) 2020-01-17 11:06:33 -08:00
.golangci.yml Add lint to makefile 2020-03-24 16:34:02 -04:00
.hashibot.hcl hashibot: let hashibot help us more (#7281) 2020-02-19 15:30:27 +01:00
CHANGELOG.md update changelog 2020-04-01 13:16:01 -05:00
GNUmakefile Merge pull request #7485 from hashicorp/dnephin/do-not-skip-tests-on-ci 2020-03-31 11:15:44 -04:00
INTERNALS.md Add contributing dir with Config file checklist (#7017) 2020-01-14 12:24:03 +00:00
LICENSE Initial commit 2013-11-04 14:15:27 -08:00
NOTICE.md add copyright notice file 2018-07-09 10:58:26 -07:00
README.md Add link to Learn to the top, move service mesh higher up on list of features. (#7474) 2020-03-23 12:10:42 -05:00
Vagrantfile Adds a basic Linux Vagrant setup, stolen from Nomad. 2017-10-06 08:10:12 -07:00
codecov.yml Upload coverage from each job 2020-03-31 14:43:13 -04:00
go.mod Merge pull request #7519 from hashicorp/dnephin/help-to-stdout 2020-04-01 11:26:12 -04:00
go.sum cli: send requested help text to stdout 2020-03-26 15:27:34 -04:00
main.go cli: slightly more direct way of printing custom version 2020-03-26 15:35:34 -04:00
main_test.go Adding basic CLI infrastructure 2013-12-19 11:22:08 -08:00

README.md

Consul CircleCI Discuss

Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.

Consul provides several key features:

  • Service Discovery - Consul makes it simple for services to register themselves and to discover other services via a DNS or HTTP interface. External services such as SaaS providers can be registered as well.

  • Health Checking - Health Checking enables Consul to quickly alert operators about any issues in a cluster. The integration with service discovery prevents routing traffic to unhealthy hosts and enables service level circuit breakers.

  • Service Segmentation/Service Mesh - Consul Connect enables secure service-to-service communication with automatic TLS encryption and identity-based authorization. Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all.

  • Key/Value Storage - A flexible key/value store enables storing dynamic configuration, feature flagging, coordination, leader election and more. The simple HTTP API makes it easy to use anywhere.

  • Multi-Datacenter - Consul is built to be datacenter aware, and can support any number of regions without complex configuration.

Consul runs on Linux, Mac OS X, FreeBSD, Solaris, and Windows. A commercial version called Consul Enterprise is also available.

Please note: We take Consul's security and our users' trust very seriously. If you believe you have found a security issue in Consul, please responsibly disclose by contacting us at security@hashicorp.com.

Quick Start

A few quick start guides are available on the Consul website:

Documentation

Full, comprehensive documentation is available on the Consul website:

https://www.consul.io/docs

Contributing

Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance.