We have enabled ACL’s and TLS for Consul cluster in our environment. But the following URL’s are still accessible. I need to block the below URL’s:
http://localhost:8500/v1/coordinate/datacenters
http://localhost:8500/v1/status/leader
http://localhost:8500/v1/status/peers
http://localhost:8500/v1/catalog/datacenters
Option1:
I am able to disable all the 4 url’s above using:
{
"http_config": {
"block_endpoints": [
"/v1/catalog/datacenters",
"/v1/coordinate/datacenters",
"/v1/status/leader",
"/v1/status/peers"
]
}
}
but the end-point: /v1/catalog/datacenters
blocked the services from discovering each other and the UI is also blocked.
Option2: ACL Policy/ACL Rules
I am tried to use the ACL Policy if that can solve.
- I enabled the ACL’s first
- I created a policy using the command:
consul acl policy create -name "urlblock" -description "Url Block Policy" -rules @service_block.hcl -token <tokenvalue>
contents of the service_block.hcl:service_prefix "/v1/status/leader" { policy = "deny" }
- I created a
agent token
for this using the command:consul acl token create -description "Block Policy Token" -policy-name "urlblock" -token <tokenvalue>
- I copied the
agent token
from the output of the above command and pasted that in the consul_config.json file in theacl -> tokens
section as"tokens": { "agent": "<agenttokenvalue>"}
- I restarted the consul agents (did the same in the consul client also).
Still I am able to access the endpoint /v1/status/leader
. Any ideas as what is wrong with this approach? Any ideas on how I can block those URL’s but still let the services discover each other and UI is also accessible using the ACL tokens?
When I test the key
or key_prefix
I am able to block access to that complete key_prefix or just that key.