Consul-connect template producing nginx file for 2000+ services

pchernik · May 1, 2020, 2:32am

We have an nginx conf file that we’ve been producing with consul-template for about 2000 services, running Consul 1.6.1. We’re trying to upgrade to Consul 1.7.2 and running into an issue where consul-template DDoSes Consul node agent. Node/client agent v1.6.1 works fine, but node/client agent v1.7.2 starts refusing connections from consul-template. The template in question (simplified version) is:

{{- range services }}
{{- if (in .Tags "nginxqa1") }}
{{- range service .Name }}
{{ .Address }}
{{- end }}
{{- end }}
{{- end }}

Adding the following limits config entry on the node/client consul seems to fix the issue:

http_max_conns_per_client = 5000

But, are there any implications to this? Is there a better way of doing this?

Any ideas / suggestions appreciated.

blake · May 4, 2020, 5:26pm

Hi @pchernik,

The http_max_conns_per_client parameter was introduced in hashicorp/consul#7159 to address CVE-2020-7219. The default value of 200 seemed to be a reasonable default for most use cases. However, there are scenarios such as yours where it makes sense to raise this value.

The only downside to raising this is that any client which is able to communicate with the Consul API will be able to create up to 5000 connections. It is not possible to raise this limit only for a specific client.

Topic		Replies	Views
Http_max_conns_per_client in Consul Clients VS Consul servers Consul	7	617	October 1, 2024
Http_max_conns_per_client in consul client limits increased but still showing [WARN] in consul-tempalte Consul consul-template	2	14	November 8, 2024
Consul limits : http_max_conns_per_client in Docker container Consul	2	838	April 5, 2023
Http_max_conns_per_client Consul	1	577	January 5, 2023
Consul limits : http_max_conns_per_client Consul	2	1983	February 22, 2021

Consul-connect template producing nginx file for 2000+ services

Related topics