mirror of https://github.com/hashicorp/consul
167 lines
5.7 KiB
Markdown
167 lines
5.7 KiB
Markdown
---
|
|
layout: api
|
|
page_title: HTTP API
|
|
description: |-
|
|
Consul exposes a RESTful HTTP API to control almost every aspect of the
|
|
Consul agent.
|
|
---
|
|
|
|
# HTTP API Structure
|
|
|
|
The main interface to Consul is a RESTful HTTP API. The API can perform basic
|
|
CRUD operations on nodes, services, checks, configuration, and more.
|
|
|
|
## Authentication
|
|
|
|
When authentication is enabled, a Consul token should be provided to API
|
|
requests using the `X-Consul-Token` header or with the
|
|
Bearer scheme in the authorization header.
|
|
This reduces the probability of the
|
|
token accidentally getting logged or exposed. When using authentication,
|
|
clients should communicate via TLS.
|
|
|
|
If no token is provided for an HTTP request then Consul will use the default ACL token
|
|
if it has been configured. If no default ACL token was configured then the anonymous
|
|
token will be used.
|
|
|
|
Below is an example using `curl` with `X-Consul-Token`.
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--header "X-Consul-Token: <consul token>" \
|
|
http://127.0.0.1:8500/v1/agent/members
|
|
```
|
|
|
|
Below is an example using `curl` with a [RFC6750](https://tools.ietf.org/html/rfc6750) Bearer token.
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--header "Authorization: Bearer <consul token>" \
|
|
http://127.0.0.1:8500/v1/agent/members
|
|
```
|
|
|
|
**Security Note:** Though you could pass the token through the `?token=` query parameter,
|
|
this method is highly discouraged because the token can show up in access logs as part of the URL.
|
|
The `?token=` query parameter is deprecated and will be removed in a future Consul version.
|
|
|
|
To learn more about the ACL system read the [documentation](/consul/docs/security/acl).
|
|
|
|
## Version Prefix
|
|
|
|
Unless indicated otherwise, all API routes are prefixed with `/v1/`.
|
|
|
|
## Formatted JSON Output
|
|
|
|
By default, the output of all HTTP API requests is minimized JSON. If the client
|
|
passes `pretty` on the query string, formatted JSON will be returned.
|
|
|
|
## HTTP Methods
|
|
|
|
Consul's API aims to be RESTful, although there are some exceptions. The API
|
|
responds to the standard HTTP verbs GET, PUT, and DELETE. Each API method will
|
|
clearly document the verb(s) it responds to and the generated response. The same
|
|
path with different verbs may trigger different behavior. For example:
|
|
|
|
```text
|
|
PUT /v1/kv/foo
|
|
GET /v1/kv/foo
|
|
```
|
|
|
|
Even though these share a path, the `PUT` operation creates a new key whereas
|
|
the `GET` operation reads an existing key.
|
|
|
|
Here is the same example using `curl`:
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--request PUT \
|
|
--data 'hello consul' \
|
|
http://127.0.0.1:8500/v1/kv/foo
|
|
```
|
|
|
|
## URL-Encoded Resource Names
|
|
|
|
Some Consul HTTP API endpoints accept resource names in URL path or query parameters.
|
|
To pass a resource name containing URL-invalid characters, such as `/` or ` `,
|
|
URL-encode the resource name into the URL.
|
|
|
|
However, we generally recommend using resource names that don't require URL-encoding.
|
|
Depending on the validation that Consul applies to a resource name,
|
|
Consul may still reject a request if it considers the resource name invalid for that endpoint.
|
|
And even if Consul considers the resource name valid, it may degrade other functionality,
|
|
such as failed [DNS lookups](/consul/docs/services/discovery/dns-overview)
|
|
for nodes or services with names containing invalid DNS characters.
|
|
|
|
This HTTP API capability also allows the
|
|
[CLI to accept arguments with URL-invalid characters](/consul/commands#arguments-with-url-invalid-characters).
|
|
|
|
### Invalid Characters
|
|
|
|
The linefeed character (`%0a`) will cause a request to be rejected even if it is URL-encoded.
|
|
|
|
## Translated Addresses
|
|
|
|
Consul 0.7 added the ability to translate addresses in HTTP response based on
|
|
the configuration setting for
|
|
[`translate_wan_addrs`](/consul/docs/agent/config/config-files#translate_wan_addrs). In order
|
|
to allow clients to know if address translation is in effect, the
|
|
`X-Consul-Translate-Addresses` header will be added if translation is enabled,
|
|
and will have a value of `true`. If translation is not enabled then this header
|
|
will not be present.
|
|
|
|
## Default ACL Policy
|
|
|
|
All API responses for Consul versions after 1.9 will include an HTTP response
|
|
header `X-Consul-Default-ACL-Policy` set to either "allow" or "deny" which
|
|
mirrors the current value of the agent's
|
|
[`acl.default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) option.
|
|
|
|
This is also the default [intention](/consul/docs/connect/intentions) enforcement
|
|
action if no intention matches.
|
|
|
|
This is returned even if ACLs are disabled.
|
|
|
|
## Results Filtered by ACLs
|
|
|
|
As of Consul 1.11, most list endpoints support an `X-Consul-Results-Filtered-By-ACLs`
|
|
HTTP response header. This indicates that the response contains a partial subset
|
|
of results, because some have been filtered out by ACL policies.
|
|
|
|
In order to limit information leakage, this header is only present for requests
|
|
authenticated by a valid ACL token.
|
|
|
|
The following example uses `curl` to view the
|
|
`X-Consul-Results-Filtered-By-ACLs` response header.
|
|
|
|
```shell-session
|
|
$ curl \
|
|
--header "X-Consul-Token: <non-anonymous consul token>" \
|
|
--include \
|
|
http://127.0.0.1:8500/v1/catalog/services
|
|
|
|
HTTP/1.1 200 OK
|
|
Content-Type: application/json
|
|
...
|
|
X-Consul-Default-Acl-Policy: deny
|
|
X-Consul-Results-Filtered-By-Acls: true
|
|
|
|
{
|
|
"redis": [],
|
|
"postgresql": ["primary", "secondary"]
|
|
}
|
|
```
|
|
|
|
## UUID Format
|
|
|
|
UUID-format identifiers generated by the Consul API use the
|
|
[hashicorp/go-uuid](https://github.com/hashicorp/go-uuid) library.
|
|
|
|
These UUID-format strings are generated using high quality, purely random bytes.
|
|
It is not intended to be RFC compliant, merely to use a well-understood string
|
|
representation of a 128-bit value.
|
|
|
|
## CORS HTTP Response Headers
|
|
|
|
As of Consul 1.18, Consul adds an HTTP header `Access-Control-Expose-Headers: x-consul-default-acl-policy` to
|
|
all responses in order to support linking self-managed Consul clusters to HCP Consul Central.
|