Fabio can connect to Consul using TLS for secure communication.

This change updates Fabio's configuration parameters to allow use and specification of TLS certificates for HTTPS. In Consul setups where full TLS is configured using CA private this allows Fabio to work in a secure manner. Closes fabiolb#276
stack72 · Jun 6, 2018 · 33dd7cc · 33dd7cc
1 parent 1fb35b1
commit 33dd7cc
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 2 deletions.
diff --git a/config/config.go b/config/config.go
@@ -143,4 +143,9 @@ type Consul struct {
 	CheckTLSSkipVerify                  bool
 	CheckDeregisterCriticalServiceAfter string
 	ChecksRequired                      string
+	EnableSSL                           bool
+	VerifySSL                           bool
+	CAFile                              string
+	CertFile                            string
+	KeyFile                             string
 }
diff --git a/config/default.go b/config/default.go
@@ -61,6 +61,8 @@ var defaultConfig = &Config{
 			CheckScheme:                         "http",
 			CheckDeregisterCriticalServiceAfter: "90m",
 			ChecksRequired:                      "one",
+			EnableSSL:                           false,
+			VerifySSL:                           false,
 		},
 		Timeout: 10 * time.Second,
 		Retry:   500 * time.Millisecond,

diff --git a/config/load.go b/config/load.go
@@ -168,6 +168,11 @@ func load(cmdline, environ, envprefix []string, props *properties.Properties) (c
 	f.StringVar(&cfg.Registry.Consul.KVPath, "registry.consul.kvpath", defaultConfig.Registry.Consul.KVPath, "consul KV path for manual overrides")
 	f.StringVar(&cfg.Registry.Consul.NoRouteHTMLPath, "registry.consul.noroutehtmlpath", defaultConfig.Registry.Consul.NoRouteHTMLPath, "consul KV path for HTML returned when no route is found")
 	f.StringVar(&cfg.Registry.Consul.TagPrefix, "registry.consul.tagprefix", defaultConfig.Registry.Consul.TagPrefix, "prefix for consul tags")
+	f.BoolVar(&cfg.Registry.Consul.EnableSSL, "registry.consul.enableSSL", defaultConfig.Registry.Consul.EnableSSL, "enable HTTPS communication with Consul")
+	f.BoolVar(&cfg.Registry.Consul.VerifySSL, "registry.consul.verifySSL", defaultConfig.Registry.Consul.VerifySSL, "enable or disable SSL verification with Consul")
+	f.StringVar(&cfg.Registry.Consul.CAFile, "registry.consul.caFile", defaultConfig.Registry.Consul.CAFile, "the path to the ca certificate used for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.CertFile, "registry.consul.certFile", defaultConfig.Registry.Consul.CertFile, "the path to the certificate for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.KeyFile, "registry.consul.keyFile", defaultConfig.Registry.Consul.KeyFile, "the path to the private key for Consul communication")
 	f.BoolVar(&cfg.Registry.Consul.Register, "registry.consul.register.enabled", defaultConfig.Registry.Consul.Register, "register fabio in consul")
 	f.StringVar(&cfg.Registry.Consul.ServiceAddr, "registry.consul.register.addr", defaultConfig.Registry.Consul.ServiceAddr, "service registration address")
 	f.StringVar(&cfg.Registry.Consul.ServiceName, "registry.consul.register.name", defaultConfig.Registry.Consul.ServiceName, "service registration name")

diff --git a/fabio.properties b/fabio.properties
@@ -626,6 +626,56 @@
 #
 # registry.consul.noroutehtmlpath = /fabio/noroute.html
 
+# registry.consul.enableSSL enables HTTPS communication with Consul.
+#
+# Consul support TLS client communication and this flag is used to
+# enable Fabio to talk to Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.enableSSL = false
+
+
+# registry.consul.verifySSL enable SSL verification with Consul.
+#
+# VerifySSL enables or disables SSL verification when the transport scheme
+#	for the Consul API client is HTTPS
+#
+# The default is
+#
+# registry.consul.verifySSL = false
+
+
+# registry.consul.caFile the path to the ca certificate used for Consul communication.
+#
+# This is the full path to the CA certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.caFile =
+
+
+# registry.consul.CertFile the path to the TLS certificate used for Consul communication.
+#
+# This is the full path to the TLS certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.CertFile =
+
+
+# registry.consul.KeyFile the path to the TLS certificate key used for Consul communication.
+#
+# This is the full path to the TLS ckey ertificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.KeyFile =
+
+
 # registry.consul.service.status configures the valid service status
 # values for services included in the routing table.
 #
@@ -717,7 +767,6 @@
 #
 # registry.consul.register.checkTLSSkipVerify = false
 
-
 # registry.consul.register.checkDeregisterCriticalServiceAfter configures
 # automatic deregistration of a service after the health check is critical for
 # this length of time.

diff --git a/registry/consul/backend.go b/registry/consul/backend.go
@@ -19,8 +19,23 @@ type be struct {
 }
 
 func NewBackend(cfg *config.Consul) (registry.Backend, error) {
+
+	var tls api.TLSConfig
+
+	if cfg.EnableSSL {
+		cfg.Scheme = "https"
+
+		tls := &api.TLSConfig{
+			Address:  cfg.Addr,
+			CAFile:   cfg.CAFile,
+			CertFile: cfg.CertFile,
+			KeyFile:  cfg.KeyFile,
+		}
+		tls.InsecureSkipVerify = !cfg.VerifySSL
+	}
+
 	// create a reusable client
-	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token})
+	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token, TLSConfig: tls})
 	if err != nil {
 		return nil, err
 	}