We have a cluster where consul is tls enabled and running on https://:8501/ on all nodes. This uses a self-signed ca.
Is there a way to make only localhost consul calls on http while consul is https enabled? We essentially want this to avoid every nomad job talking to local consul having to add ca in the api requests.
Yep, you can set both http and https addresses for consul and it will listen for both. You do that by specifying both ports under ports configuration. For localhost calls, I’d also recommend setting the http bind address to be
127.0.0.1 via the addresses configuration so that the http api isn’t accidentally exposed outside of that localhost traffic.