Deny Anonymous Read - Consul

ukchaitanya · December 3, 2021, 8:31am

Hello Experts,

I am trying to deny all the anonymous requests to list the nodes and it is not working as expected. When I try to curl using the below command it is listing all the nodes and their details:
curl https://my-consul-server:8500/v1/catalog/nodes

Also, without any specific ACL, I am able to access the UI with the below URL:
https://my-consul-server:8500/ui/dc1/nodes

Below is my config in the consul, deny_policy is bound to Anonymous read token.
Consul version: v1.4.0
Token: Anonymous read
Policy: deny_policy
Rules:

service_prefix "" { policy = "deny" }
service "" { policy = "deny" } 
key_prefix "" { policy = "deny" } 
node_prefix "" { policy = "deny" }
agent_prefix "" { policy = "deny" }
query_prefix "" { policy = "deny" }

Any suggestion on how to block all the requests without any token?

eddie-rowe · December 3, 2021, 5:28pm

Hello @ukchaitanya
I was able to replicate your problem locally with this policy and using Consul 1.4 when I set the value of "default_policy": "deny" rather than "default_policy": "allow", in the Consul server ACL configuration settings. When the default_policy is set to deny, I was able to successfully prevent the anonymous token from reading data.

Here are the files and steps I used to replicate the problem (uses docker and docker-compose), with a working example included:

I hope this helps with your issue!

ukchaitanya · December 6, 2021, 4:27am

Hi @eddie-rowe , Thanks for the quick response. I have the above config set already in my server. Below is the extract from the consul config FYR:
{
“addresses”: {“https”: “0.0.0.0”,“http”: “127.0.0.1”},
“ports”: {“https”: 8500,“http”: 8400},
“acl” : {
“enabled”: true,
“default_policy”: “deny”,
“tokens” : {
“agent” : “my-agent-token”
}
},
“verify_outgoing”: true,
“verify_incoming_rpc”: false
}

Am I missing anything here?

eddie-rowe · December 6, 2021, 3:22pm

Happy to help, @ukchaitanya

Can you please post your output of the following commands:

consul acl policy read <name-of-your-anonymous-token-policy>

curl --header "X-Consul-Token: <your-master-or-bootstrap-token>" https://127.0.0.1:8500/v1/agent/members

curl https://127.0.0.1:8500/v1/catalog/nodes

Also, with your configuration, do you have the certificates set with ca_file? Without the certificate files I get this error Error starting agent: VerifyOutgoing set, and no CA certificate provided

ukchaitanya · December 7, 2021, 5:22am

Yes, I have set ca_file in the config. I have used http instead of https as the certificate is not recognized in the console.

Below is the command output:

consul ACL policy read -name "deny_anonymous_read"
Error determining policy ID: Get http://127.0.0.1:8500/v1/acl/policies: net/http: HTTP/1.x transport connection broken: malformed HTTP response “\x15\x03\x01\x00\x02\x02”

However, the below command helped with listing policies:

curl --header "X-Consul-Token: my-master-token" http://127.0.0.1:8400/v1/acl/policies

[
{
…
},
{
“ID”: “3c2660d5-383c-2628-2978-e3707cad7ecb”,
“Name”: “deny_anonymous_read”,
“Description”: “”,
“Datacenters”: null,
“Hash”: “token-policy-hash”,
“CreateIndex”: 65519316,
“ModifyIndex”: 65521198
},
{
…
},
{
…
}
]

curl --header "X-Consul-Token: my-master-token" http://127.0.0.1:8400/v1/agent/members

[
{
“Name”: “my-app-node”,
“Addr”: “node-ip-address”,
“Port”: 8301,
“Tags”: {
“acls”: “1”,
“build”: “1.4.0:0bddfa23”,
“dc”: “dc1”,
“id”: “some-node-id”,
“role”: “node”,
“segment”: “”,
“vsn”: “2”,
“vsn_max”: “3”,
“vsn_min”: “2”
},
“Status”: 1,
“ProtocolMin”: 1,
“ProtocolMax”: 5,
“ProtocolCur”: 2,
“DelegateMin”: 2,
“DelegateMax”: 5,
“DelegateCur”: 4
},

{…},
{…} ]

curl http://127.0.0.1:8400/v1/catalog/nodes

[
{
“ID”: “my-app-node-id”,
“Node”: “my-app-node”,
“Address”: “node-ip-address”,
“Datacenter”: “dc1”,
“TaggedAddresses”: {
“lan”: “node-ip-address”,
“wan”: “node-ip-address”
},
“Meta”: {
“consul-network-segment”: “”
},
“CreateIndex”: 65504848,
“ModifyIndex”: 65504848
},
{…},
{…} ]

eddie-rowe · December 10, 2021, 5:54pm

Hello @ukchaitanya

I’d like to see the contents of your “deny_anonymous_read” policy. Can you please run and post the output of:
curl --header "X-Consul-Token: my-master-token" http://127.0.0.1:8400/v1/acl/policies/:3c2660d5-383c-2628-2978-e3707cad7ecb

Can you also please post your Consul server configuration file?

Thank you.

ukchaitanya · December 13, 2021, 11:46am

hi @eddie-rowe, Resolved it by removing the default token from the consul.json config file and adding deny policy. Thanks for your help!
Deny anonymous policy content:

service_prefix "" { policy = "deny" }
service "" { policy = "deny" } 
key_prefix "" { policy = "deny" } 
node_prefix "" { policy = "deny" }
agent_prefix "" { policy = "deny" }
query_prefix "" { policy = "deny" }

Current consul config:

{
"addresses": {"https": "0.0.0.0","http": "127.0.0.1"},
"ports": {"https": 8500,"http": 8400},
  "acl" : {
    "enabled": true,
    "default_policy": "deny",
    "down_policy": "extend-cache",
    "tokens" : {
                "agent" : "my-agent-token"
                }
  },
"verify_outgoing": true,
"verify_incoming_rpc": false
}

Earlier had the default token along with the agent in the config file! Guess i had missed it in my previous response.

eddie-rowe · December 13, 2021, 6:50pm

Nice work, @ukchaitanya !

Glad everything is now working as expected - cheers!