mirror of https://github.com/hashicorp/consul
website: document proxy security settings
parent
0d6dcbd2f1
commit
7f83ae1faf
|
@ -703,7 +703,13 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
||||||
duration value such as `720h`. Only applies in the case where the private key or root certificate are
|
duration value such as `720h`. Only applies in the case where the private key or root certificate are
|
||||||
left blank. Defaults to `2160h` (90 days).
|
left blank. Defaults to `2160h` (90 days).
|
||||||
|
|
||||||
* <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> TODO
|
* <a name="connect_proxy"></a><a href="#connect_proxy">`proxy`</a> This object allows setting options for the Connect proxies. The following sub-keys are available:
|
||||||
|
|
||||||
|
* <a name="connect_proxy_allow_managed_registration"></a><a href="#connect_proxy_allow_managed_registration">`allow_managed_api_registration`</a> Allows managed proxies to be configured with services that are registered via the Agent HTTP API. Enabling this would allow anyone with permission to register a service to define a command to execute for the proxy. By default, this is false to protect against arbitrary process execution.
|
||||||
|
|
||||||
|
* <a name="connect_proxy_allow_managed_root"></a><a href="#connect_proxy_allow_managed_root">`allow_managed_root`</a> Allows Consul to start managed proxies if Consul is running as root (EUID of the process is zero). We recommend running Consul as a non-root user. By default, this is false to protect inadvertently running external processes as root.
|
||||||
|
|
||||||
|
* <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> This object configures the default proxy settings for [service definitions with managed proxies](/docs/agent/services.html). It accepts the fields `exec_mode`, `daemon_command`, and `config`. These are used as default values for the respective fields in the service definition.
|
||||||
|
|
||||||
* <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the
|
* <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the
|
||||||
[`-datacenter` command-line flag](#_datacenter).
|
[`-datacenter` command-line flag](#_datacenter).
|
||||||
|
|
|
@ -17,7 +17,15 @@ or added at runtime over the HTTP interface.
|
||||||
|
|
||||||
## Service Definition
|
## Service Definition
|
||||||
|
|
||||||
A service definition is a script that looks like:
|
To configure a service, either provide the service definition as a `-config-file` option to
|
||||||
|
the agent or place it inside the `-config-dir` of the agent. The file
|
||||||
|
must end in the `.json` or `.hcl` extension to be loaded by Consul. Check
|
||||||
|
definitions can be updated by sending a `SIGHUP` to the agent.
|
||||||
|
Alternatively, the service can be registered dynamically using the [HTTP
|
||||||
|
API](/api/index.html).
|
||||||
|
|
||||||
|
A service definition is a configuration that looks like the following. This
|
||||||
|
example shows all possible fields, but note that only a few are required.
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
{
|
{
|
||||||
|
@ -35,7 +43,14 @@ A service definition is a script that looks like:
|
||||||
"args": ["/usr/local/bin/check_redis.py"],
|
"args": ["/usr/local/bin/check_redis.py"],
|
||||||
"interval": "10s"
|
"interval": "10s"
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
"connect": {
|
||||||
|
"native": false,
|
||||||
|
"proxy": {
|
||||||
|
"command": [],
|
||||||
|
"config": {}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -117,12 +132,14 @@ For Consul 0.9.3 and earlier you need to use `enableTagOverride`. Consul 1.0
|
||||||
supports both `enable_tag_override` and `enableTagOverride` but the latter is
|
supports both `enable_tag_override` and `enableTagOverride` but the latter is
|
||||||
deprecated and has been removed as of Consul 1.1.
|
deprecated and has been removed as of Consul 1.1.
|
||||||
|
|
||||||
To configure a service, either provide it as a `-config-file` option to
|
The `connect` field can be specified to configure [Connect](/docs/connect/index.html)
|
||||||
the agent or place it inside the `-config-dir` of the agent. The file
|
for a service. This field is available in Consul 1.2 and later. The `native`
|
||||||
must end in the `.json` or `.hcl` extension to be loaded by Consul. Check
|
value can be set to true to advertise the service as
|
||||||
definitions can be updated by sending a `SIGHUP` to the agent.
|
[Connect-native](/docs/connect/native.html). If the `proxy` field is set
|
||||||
Alternatively, the service can be registered dynamically using the [HTTP
|
(even to an empty object), then this will enable a
|
||||||
API](/api/index.html).
|
[managed proxy](/docs/connect/proxies.html) for the service. The fields within
|
||||||
|
`proxy` are used to configure the proxy and are specified in the
|
||||||
|
[proxy docs](/docs/connect/proxies.html).
|
||||||
|
|
||||||
## Multiple Service Definitions
|
## Multiple Service Definitions
|
||||||
|
|
||||||
|
|
|
@ -47,6 +47,13 @@ integrating with advanced proxies in the near future to support more complex
|
||||||
configurations and higher performance. The configuration below is all for
|
configurations and higher performance. The configuration below is all for
|
||||||
the built-in proxy.
|
the built-in proxy.
|
||||||
|
|
||||||
|
-> **Security note:** 1.) Managed proxies can only be configured
|
||||||
|
via agent configuration files. They _cannot_ be registered via the HTTP API.
|
||||||
|
And 2.) Managed proxies are not started at all if Consul is running as root.
|
||||||
|
Both of these default configurations help prevent arbitrary process
|
||||||
|
execution or privilege escalation. This behavior can be configured
|
||||||
|
[per-agent](/docs/agent/options.html#connect_proxy).
|
||||||
|
|
||||||
### Minimal Configuration
|
### Minimal Configuration
|
||||||
|
|
||||||
Managed proxies are configured within a
|
Managed proxies are configured within a
|
||||||
|
|
Loading…
Reference in New Issue