Fabio can connect to Consul using TLS for secure communication.

[jrasell]

This change updates Fabio's configuration parameters to allow use and specification of TLS certificates for HTTPS. In Consul setups where full TLS is configured using CA private this allows Fabio to work in a secure manner.

I have tested this change locally with a Consul TLS setup; log fragments are shown below to provide further detail:

./fabio -registry.consul.caFile=/Users/rasellj/opt/hashicorp/ca/rasellj-ca.pem -registry.consul.enableSSL -registry.consul.keyFile=/Users/rasellj/opt/hashicorp/consul/consul-server-key.pem -registry.consul.certFile=/Users/rasellj/opt/hashicorp/consul/consul-server.pem -registry.consul.verifySSL

"EnableSSL": true,
"VerifySSL": true,
"CAFile": "/Users/rasellj/opt/hashicorp/ca/rasellj-ca.pem",
"CertFile": "/Users/rasellj/opt/hashicorp/consul/consul-server.pem",
"KeyFile": "/Users/rasellj/opt/hashicorp/consul/consul-server-key.pem"

2017/11/20 09:44:50 [INFO] Version v1.5.3-10-g5b2fe34 starting
2017/11/20 09:44:50 [INFO] Go runtime is go1.9
2017/11/20 09:44:50 [INFO] Metrics disabled
2017/11/20 09:44:50 [INFO] Setting GOGC=800
2017/11/20 09:44:50 [INFO] Setting GOMAXPROCS=8
2017/11/20 09:44:50 [INFO] consul: Connecting to "localhost:8500" in datacenter "dc1"
2017/11/20 09:44:50 [INFO] Admin server access mode "rw"
2017/11/20 09:44:50 [INFO] Admin server listening on ":9998"
2017/11/20 09:44:50 [INFO] Waiting for first routing table
2017/11/20 09:44:50 [INFO] consul: Using dynamic routes
2017/11/20 09:44:50 [INFO] consul: Using tag prefix "urlprefix-"
2017/11/20 09:44:50 [INFO] consul: Watching KV path "/fabio/config"
2017/11/20 09:44:53 [INFO] consul: Registered fabio with id "REDACTED-9998"
2017/11/20 09:44:53 [INFO] consul: Registered fabio with address "10.210.90.45"
2017/11/20 09:44:53 [INFO] consul: Registered fabio with tags ""
2017/11/20 09:44:53 [INFO] consul: Registered fabio with health check to "http://[10.210.90.45]:9998/health"
2017/11/20 09:44:54 [INFO] consul: Manual config changed to #1
2017/11/20 09:44:54 [INFO] HTTP proxy listening on :9999
2017/11/20 09:44:54 [INFO] Access logging disabled
2017/11/20 09:44:54 [INFO] Using routing strategy "rnd"
2017/11/20 09:44:54 [INFO] Using route matching "prefix"
2017/11/20 09:44:54 [INFO] consul: Health changed to #6

Feedback would be appreciated, and any changes requested will be acted upon promptly.

Closes #276

[CLAassistant]

All committers have signed the CLA.

[jrasell]

The test failures seem to be sporadic and I do not believe they are related to my changes.

[jrasell]

@magiconair would it be possible to get some feedback on this PR?

[magiconair]

Yes. I’ll have a look later today. Sorry for the delay

[magiconair]

Why do you need a key? This is for making TLS connections to consul, correct? Can’t you just add the ca file to the trusted root CAs in /etc/ssl?

[magiconair]

And use an https URL for consul obviously

[jrasell]

@magiconair yes that is an option and is what I currently do in my setups. I was merely adding this feature as detailed in the ticket #276

[magiconair]

Ah, the cert and key are used for client cert authentication. The example uses the Consul server cert and that doesn't seem correct.

I can see several use cases:

1. Use HTTPS:
   add registry.consul.scheme=https option

2. Use custom CA:
   add registry.consul.tls.ca_path=/path/to/certs

3. disable cert validation
   add registry.consul.tls.skip_verify = {true,false} to be (somewhat) consistent with the other options

4. enable client cert authentication
   add registry.consul.tls.client_cert=/path/to/cert.pem and registry.consul.tls.client_key=/path/to/key.pem The key should be optional if both cert and key are in the same file. In this case both should point to the same file.

[sev3ryn]

uppercase words are not parsed by flag library. If you change it to lower case flag will parse it correctly. I mean - registry.consul.enableSSL change to registry.consul.enablessl
same for other added parametes

• change to lowercase if property file

[sev3ryn]

tls variable is shadowed here. Here should be
tls = api.TLSConfig{

[sev3ryn]

Hi, I also faced a need for this functionality today.
But code in this PR have few issues and is not fully working - @jrasell see my comments on File changes tab.

BTW. @jrasell, if you abandoned this PR - I can pick it to implement changes that @magiconair requested

[vjeantet]

Hello, i need this functionality too.

Currently blocked because of lack of https to search consul. :(

How can we help ?

[eagle1981]

How about merge to next release? It's blocker feature for our deployment.

[tecnobrat]

@jrasell @sev3ryn is this abandoned? I also need this as well as its a blocker .. let me know if I can help, happy to try to refactor this PR.

[pires]

This can be closed since #602 was merged, right?

[pschultz]

Yes, thanks for the reminder.