Connect: Support unix sockets

[roidelapluie]

Feature Description

Instead of listening to a tcp port, it would be great to be able to use unix sockets for incoming connections of the connect proxy (upstreams).

Use Case(s)

Unix sockets offer an alternative to listening to loopback and can be secured differently (more easily) than with network namespaces.

[mitchellh]

This is a very reasonable idea. I'm assuming you mean for the upstream listeners (private listeners).

We focused really hard on this initial release to go with platform-agnostic technologies with the full intention of building platform-specific features later. This is a relatively simple one and I agree that the security aspects can be appealing here.

[banks]

Yeah this is something we considered as Mitchell said. Out of interest, what software are you thinking of that could make use of unix sockets? The most common things I can think of are databases like MySQL that can listen on a unix socket which is potentially nicer than loopback, but it can't make outgoing connections on unix sockets. The improvements in security are mostly a concern for outgoing connections which it's not clear how the application would consume without modification.

We will certainly consider supporting this anyway but just wanted to hear if you have specific use-cases in mind we hadn't thought of?

[roidelapluie]

That idea crossed my mind because trusting localhost quite a huge requirement when you have lots of microservices on the same host ; and playing with network namespaces is not the most easy thing to do. I do not really have a special usecase in mind at the moment, but for languages like golang using unix sockets or tcp/ip socket does not make a big difference in code.

[blake]

Support for Unix sockets with Connect was added in Consul 1.10 beta 2 by #9981.