CODEWITHSUNDEEP
aclconsul
user3379502
user3379502

Reputation: 323

Disabling the Consul HTTP endpoints

We have enabled ACL's and TLS for Consul cluster in our environment. We have disabled the UI as well. But when I use the URL: http://<consul_agent>:8500/v1/coordinate/datacenters. How can disable the URL's as this?

I tested with adding the following to the consulConfig.json:

"ports":{
  "http": -1
}

this did not solve the problem.

Apart from the suggestion provided to use "http_config": { "block_endpoints": I am trying to use the ACL Policy if that can solve.

  1. I enabled the ACL's first
  2. I created a policy using the command: consul acl policy create -name "urlblock" -description "Url Block Policy" -rules @service_block.hcl -token <tokenvalue> contents of the service_block.hcl: service_prefix "/v1/status/leader" { policy = "deny" }
  3. I created a agent token for this using the command: consul acl token create -description "Block Policy Token" -policy-name "urlblock" -token <tokenvalue>
  4. I copied the agent token from the output of the above command and pasted that in the consul_config.json file in the acl -> tokens section as "tokens": { "agent": "<agenttokenvalue>"}
  5. I restarted the consul agents (did the same in the consul client also).

Still I am able to access the endpoint /v1/status/leader. Any ideas as what is wrong with this approach?

Upvotes: 0

Views: 1932

Answers (1)

Blake Covarrubias
Blake Covarrubias

Reputation: 2303

That configuration should properly disable the HTTP server. I was able to validate this works using the following config with Consul 1.9.5.

Disabling Consul's HTTP server

Create config.json in the agent's configuration directory which completely disables the HTTP API port.

config.json

{
    "ports": {
        "http": -1
    }
}

Start the Consul agent

$ consul agent -dev -config-file=config.json
==> Starting Consul agent...
           Version: '1.9.5'
           Node ID: 'ed7f0050-8191-999c-a53f-9ac48fd03f7e'
         Node name: 'b1000.local'
        Datacenter: 'dc1' (Segment: '<all>')
            Server: true (Bootstrap: false)
       Client Addr: [127.0.0.1] (HTTP: -1, HTTPS: -1, gRPC: 8502, DNS: 8600)
      Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
           Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false

==> Log data will now stream in as it occurs:
...

Note the HTTP port is set to "-1" on the Client Addr line. The port is now inaccessible.

Test connectivity to HTTP API

$ curl localhost:8500
curl: (7) Failed to connect to localhost port 8500: Connection refused

Blocking access to specific API endpoints

Alternatively you can block access to specific API endpoints, without completely disabling the HTTP API, by using the http_config.block_endpoints configuration option.

For example:

Create a config named block-endpoints.json

{
  "http_config": {
    "block_endpoints": [
      "/v1/catalog/datacenters",
      "/v1/coordinate/datacenters",
      "/v1/status/leader",
      "/v1/status/peers"
    ]
  }
}

Start Consul with this config

consul agent -dev -config-file=block-endpoints.json
==> Starting Consul agent...
           Version: '1.9.5'
           Node ID: '8ff15668-8624-47b5-6e83-7a8bfd715a56'
         Node name: 'b1000.local'
        Datacenter: 'dc1' (Segment: '<all>')
            Server: true (Bootstrap: false)
       Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
      Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
           Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false

==> Log data will now stream in as it occurs:
...

In this example, the HTTP API is enabled and listening on port 8500.

Test connectivity to HTTP API

If you issue a request to one of the blocked endpoints, the following error will be returned.

$ curl localhost:8500/v1/status/peers
Endpoint is blocked by agent configuration

However, access to other endpoints are still permitted.

$ curl localhost:8500/v1/agent/members
[
    {
        "Name": "b1000.local",
        "Addr": "127.0.0.1",
        "Port": 8301,
        "Tags": {
            "acls": "0",
            "build": "1.9.5:3c1c2267",
            "dc": "dc1",
            "ft_fs": "1",
            "ft_si": "1",
            "id": "6d157a1b-c893-3903-9037-2e2bd0e6f973",
            "port": "8300",
            "raft_vsn": "3",
            "role": "consul",
            "segment": "",
            "vsn": "2",
            "vsn_max": "3",
            "vsn_min": "2",
            "wan_join_port": "8302"
        },
        "Status": 1,
        "ProtocolMin": 1,
        "ProtocolMax": 5,
        "ProtocolCur": 2,
        "DelegateMin": 2,
        "DelegateMax": 5,
        "DelegateCur": 4
    }
]

Upvotes: 1

Related Questions