Blocking some http endpoints using Consul ACL

ganti.pavan · July 1, 2021, 8:25pm

We have enabled ACL’s and TLS for Consul cluster in our environment. But the following URL’s are still accessible. I need to block the below URL’s:

http://localhost:8500/v1/coordinate/datacenters
http://localhost:8500/v1/status/leader
http://localhost:8500/v1/status/peers
http://localhost:8500/v1/catalog/datacenters

Option1:
I am able to disable all the 4 url’s above using:

{
  "http_config": {
    "block_endpoints": [
      "/v1/catalog/datacenters",
      "/v1/coordinate/datacenters",
      "/v1/status/leader",
      "/v1/status/peers"
    ]
  }
}

but the end-point: /v1/catalog/datacenters blocked the services from discovering each other and the UI is also blocked.

Option2: ACL Policy/ACL Rules
I am tried to use the ACL Policy if that can solve.

I enabled the ACL’s first
I created a policy using the command: consul acl policy create -name "urlblock" -description "Url Block Policy" -rules @service_block.hcl -token <tokenvalue> contents of the service_block.hcl: service_prefix "/v1/status/leader" { policy = "deny" }
I created a agent token for this using the command: consul acl token create -description "Block Policy Token" -policy-name "urlblock" -token <tokenvalue>
I copied the agent token from the output of the above command and pasted that in the consul_config.json file in the acl -> tokens section as "tokens": { "agent": "<agenttokenvalue>"}
I restarted the consul agents (did the same in the consul client also).

Still I am able to access the endpoint /v1/status/leader . Any ideas as what is wrong with this approach? Any ideas on how I can block those URL’s but still let the services discover each other and UI is also accessible using the ACL tokens?

When I test the key or key_prefix I am able to block access to that complete key_prefix or just that key.

blake · July 6, 2021, 4:58pm

Hi @ganti.pavan,

Consul assumes that some of these endpoints, such as the /datacenters endpoint, is available so that information from that endpoint can be queried by the UI, etc. If blocking a certain endpoint breaks functionality you need in Consul, you will need to remove that endpoint from the http_config.block_endpoints list. That said, can you share a bit more info as to why you need to block access to some of these endpoints?

Consul does not support protecting the /v1/status/leader endpoint via ACLs. You can see this in the table listed below the API endpoint docs which states no ACL is required to access this endpoint. See the ACL rules and scope document to learn more about which ACL rules apply to which API endpoints.

ganti.pavan · July 12, 2021, 3:09pm

@blake thx for the answer. As part of the penetration testing done for our app, the team found out that these endpoints are open on http and they need these to be restricted. This is the reason why I am trying to block these URL’s. Based on the research and the question here, believe /catalog/datacenters is required for the apps to discover and so they cannot be blocked (with both options above) and option1 can be used for blocking the rest of the three URL’s. If anyone has any other options please let me know.

Topic		Replies	Views
Consul on k8s, how to provide ACL to service? Consul	2	369	February 1, 2021
Consul services registration is blocked by ACL Consul	1	1343	April 26, 2021
Consul acl policy not working as expected Consul acl	6	3247	August 6, 2019
Consul Agent access to KV denied by ACL Consul acl	8	8343	August 11, 2020
ACL/API endpoint mapping? Consul acl	3	521	January 12, 2022

Blocking some http endpoints using Consul ACL

Related topics