website: document proxy security settings

pull/4275/head
Mitchell Hashimoto 2018-06-12 17:58:31 +02:00 committed by Jack Pearkes
parent 0d6dcbd2f1
commit 7f83ae1faf
3 changed files with 39 additions and 9 deletions

View File

@ -703,7 +703,13 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
duration value such as `720h`. Only applies in the case where the private key or root certificate are duration value such as `720h`. Only applies in the case where the private key or root certificate are
left blank. Defaults to `2160h` (90 days). left blank. Defaults to `2160h` (90 days).
* <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> TODO * <a name="connect_proxy"></a><a href="#connect_proxy">`proxy`</a> This object allows setting options for the Connect proxies. The following sub-keys are available:
* <a name="connect_proxy_allow_managed_registration"></a><a href="#connect_proxy_allow_managed_registration">`allow_managed_api_registration`</a> Allows managed proxies to be configured with services that are registered via the Agent HTTP API. Enabling this would allow anyone with permission to register a service to define a command to execute for the proxy. By default, this is false to protect against arbitrary process execution.
* <a name="connect_proxy_allow_managed_root"></a><a href="#connect_proxy_allow_managed_root">`allow_managed_root`</a> Allows Consul to start managed proxies if Consul is running as root (EUID of the process is zero). We recommend running Consul as a non-root user. By default, this is false to protect inadvertently running external processes as root.
* <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> This object configures the default proxy settings for [service definitions with managed proxies](/docs/agent/services.html). It accepts the fields `exec_mode`, `daemon_command`, and `config`. These are used as default values for the respective fields in the service definition.
* <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the * <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the
[`-datacenter` command-line flag](#_datacenter). [`-datacenter` command-line flag](#_datacenter).

View File

@ -17,7 +17,15 @@ or added at runtime over the HTTP interface.
## Service Definition ## Service Definition
A service definition is a script that looks like: To configure a service, either provide the service definition as a `-config-file` option to
the agent or place it inside the `-config-dir` of the agent. The file
must end in the `.json` or `.hcl` extension to be loaded by Consul. Check
definitions can be updated by sending a `SIGHUP` to the agent.
Alternatively, the service can be registered dynamically using the [HTTP
API](/api/index.html).
A service definition is a configuration that looks like the following. This
example shows all possible fields, but note that only a few are required.
```javascript ```javascript
{ {
@ -35,7 +43,14 @@ A service definition is a script that looks like:
"args": ["/usr/local/bin/check_redis.py"], "args": ["/usr/local/bin/check_redis.py"],
"interval": "10s" "interval": "10s"
} }
] ],
"connect": {
"native": false,
"proxy": {
"command": [],
"config": {}
}
}
} }
} }
``` ```
@ -117,12 +132,14 @@ For Consul 0.9.3 and earlier you need to use `enableTagOverride`. Consul 1.0
supports both `enable_tag_override` and `enableTagOverride` but the latter is supports both `enable_tag_override` and `enableTagOverride` but the latter is
deprecated and has been removed as of Consul 1.1. deprecated and has been removed as of Consul 1.1.
To configure a service, either provide it as a `-config-file` option to The `connect` field can be specified to configure [Connect](/docs/connect/index.html)
the agent or place it inside the `-config-dir` of the agent. The file for a service. This field is available in Consul 1.2 and later. The `native`
must end in the `.json` or `.hcl` extension to be loaded by Consul. Check value can be set to true to advertise the service as
definitions can be updated by sending a `SIGHUP` to the agent. [Connect-native](/docs/connect/native.html). If the `proxy` field is set
Alternatively, the service can be registered dynamically using the [HTTP (even to an empty object), then this will enable a
API](/api/index.html). [managed proxy](/docs/connect/proxies.html) for the service. The fields within
`proxy` are used to configure the proxy and are specified in the
[proxy docs](/docs/connect/proxies.html).
## Multiple Service Definitions ## Multiple Service Definitions

View File

@ -47,6 +47,13 @@ integrating with advanced proxies in the near future to support more complex
configurations and higher performance. The configuration below is all for configurations and higher performance. The configuration below is all for
the built-in proxy. the built-in proxy.
-> **Security note:** 1.) Managed proxies can only be configured
via agent configuration files. They _cannot_ be registered via the HTTP API.
And 2.) Managed proxies are not started at all if Consul is running as root.
Both of these default configurations help prevent arbitrary process
execution or privilege escalation. This behavior can be configured
[per-agent](/docs/agent/options.html#connect_proxy).
### Minimal Configuration ### Minimal Configuration
Managed proxies are configured within a Managed proxies are configured within a