Fabio can connect to Consul using TLS for secure communication.

config/config.go

@@ -143,4 +143,9 @@ type Consul struct {
 	CheckTLSSkipVerify                  bool
 	CheckDeregisterCriticalServiceAfter string
 	ChecksRequired                      string
+	EnableSSL                           bool
+	VerifySSL                           bool
+	CAFile                              string
+	CertFile                            string
+	KeyFile                             string
 }

config/default.go

@@ -61,6 +61,8 @@ var defaultConfig = &Config{
 			CheckScheme:                         "http",
 			CheckDeregisterCriticalServiceAfter: "90m",
 			ChecksRequired:                      "one",
+			EnableSSL:                           false,
+			VerifySSL:                           false,
 		},
 		Timeout: 10 * time.Second,
 		Retry:   500 * time.Millisecond,

config/load.go

@@ -168,6 +168,11 @@ func load(cmdline, environ, envprefix []string, props *properties.Properties) (c
 	f.StringVar(&cfg.Registry.Consul.KVPath, "registry.consul.kvpath", defaultConfig.Registry.Consul.KVPath, "consul KV path for manual overrides")
 	f.StringVar(&cfg.Registry.Consul.NoRouteHTMLPath, "registry.consul.noroutehtmlpath", defaultConfig.Registry.Consul.NoRouteHTMLPath, "consul KV path for HTML returned when no route is found")
 	f.StringVar(&cfg.Registry.Consul.TagPrefix, "registry.consul.tagprefix", defaultConfig.Registry.Consul.TagPrefix, "prefix for consul tags")
+	f.BoolVar(&cfg.Registry.Consul.EnableSSL, "registry.consul.enableSSL", defaultConfig.Registry.Consul.EnableSSL, "enable HTTPS communication with Consul")
+	f.BoolVar(&cfg.Registry.Consul.VerifySSL, "registry.consul.verifySSL", defaultConfig.Registry.Consul.VerifySSL, "enable or disable SSL verification with Consul")
+	f.StringVar(&cfg.Registry.Consul.CAFile, "registry.consul.caFile", defaultConfig.Registry.Consul.CAFile, "the path to the ca certificate used for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.CertFile, "registry.consul.certFile", defaultConfig.Registry.Consul.CertFile, "the path to the certificate for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.KeyFile, "registry.consul.keyFile", defaultConfig.Registry.Consul.KeyFile, "the path to the private key for Consul communication")
 	f.BoolVar(&cfg.Registry.Consul.Register, "registry.consul.register.enabled", defaultConfig.Registry.Consul.Register, "register fabio in consul")
 	f.StringVar(&cfg.Registry.Consul.ServiceAddr, "registry.consul.register.addr", defaultConfig.Registry.Consul.ServiceAddr, "service registration address")
 	f.StringVar(&cfg.Registry.Consul.ServiceName, "registry.consul.register.name", defaultConfig.Registry.Consul.ServiceName, "service registration name")

fabio.properties

@@ -626,6 +626,106 @@
 #
 # registry.consul.noroutehtmlpath = /fabio/noroute.html
 
+# registry.consul.enableSSL enables HTTPS communication with Consul.
+#
+# Consul support TLS client communication and this flag is used to
+# enable Fabio to talk to Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.enableSSL = false
+
+
+# registry.consul.verifySSL enable SSL verification with Consul.
+#
+# VerifySSL enables or disables SSL verification when the transport scheme
+#	for the Consul API client is HTTPS
+#
+# The default is
+#
+# registry.consul.verifySSL = false
+
+
+# registry.consul.caFile the path to the ca certificate used for Consul communication.
+#
+# This is the full path to the CA certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.caFile =
+
+
+# registry.consul.CertFile the path to the TLS certificate used for Consul communication.
+#
+# This is the full path to the TLS certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.CertFile =
+
+
+# registry.consul.KeyFile the path to the TLS certificate key used for Consul communication.
+#
+# This is the full path to the TLS ckey ertificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.KeyFile =
+
+
+# registry.consul.enableSSL enables HTTPS communication with Consul.
+#
+# Consul support TLS client communication and this flag is used to
+# enable Fabio to talk to Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.enableSSL = false
+
+
+# registry.consul.verifySSL enable SSL verification with Consul.
+#
+# VerifySSL enables or disables SSL verification when the transport scheme
+#	for the Consul API client is HTTPS
+#
+# The default is
+#
+# registry.consul.verifySSL = false
+
+
+# registry.consul.caFile the path to the ca certificate used for Consul communication.
+#
+# This is the full path to the CA certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.caFile =
+
+
+# registry.consul.CertFile the path to the TLS certificate used for Consul communication.
+#
+# This is the full path to the TLS certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.CertFile =
+
+
+# registry.consul.KeyFile the path to the TLS certificate key used for Consul communication.
+#
+# This is the full path to the TLS ckey ertificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.KeyFile =
+
+
 # registry.consul.service.status configures the valid service status
 # values for services included in the routing table.
 #

registry/consul/backend.go

@@ -19,8 +19,23 @@ type be struct {
 }
 
 func NewBackend(cfg *config.Consul) (registry.Backend, error) {
+
+	var tls api.TLSConfig
+
+	if cfg.EnableSSL {
+		cfg.Scheme = "https"
+
+		tls := &api.TLSConfig{
+			Address:  cfg.Addr,
+			CAFile:   cfg.CAFile,
+			CertFile: cfg.CertFile,
+			KeyFile:  cfg.KeyFile,
+		}
+		tls.InsecureSkipVerify = !cfg.VerifySSL
+	}
+
 	// create a reusable client
-	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token})
+	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token, TLSConfig: tls})
 	if err != nil {
 		return nil, err
 	}