HA access to the management interface on instances

[far-blue]

I'm now happily running fabio in production with, for the moment, consul backed certs and all is great. With a number of fabio instances running I assume it doesn't matter which management interface I accessed to monitor and add manual overrides so I figured I could configure the fabio service itself to have a urlprefix tag and have fabio instances route their (or each other's) management interfaces from a common hostname.

Is this a sensible thing to do or is it going to cause problems?

If it is a sensible thing to do, maybe it could be a standard config option in the config file? Maybe with fabio being aware of sibling instances.

If it isn't a sensible thing to do because it is best to talk to a single 'master' instance for config then maybe fabio could do this for us - use consul to elect a leader with the follower instances proxying through to the current leader.

[magiconair]

@far-blue good to know. I'll see that I can wrap up the vault change soon. It's a time issue and we finally have some summer sun. Not sure for how long though ...

fabio is stateless therefore it doesn't matter which instance you use. Adding an option to register the admin ui prefix in consul itself sounds interesting.

My concern is that some users will just blindly add /admin to their regular domain essentially exposing the admin ui on the net - which would create a nice open reverse proxy for everybody to use. This is too easy to get wrong. Maybe by setting this fabio would require configuring authentication. However, that requires that the admin ui is on HTTPS which requires that there is a listener and a cert ... (rabbit hole)

TBH, in our experience we rarely look at the admin ui if ever. The manual overrides are the "fixer" tool to amend a broken deployment. They shouldn't be part of the normal workflow but maybe I'm missing something here.

[far-blue]

Hmm, yes, good point :)

As for why make the admin interface easy to find: I'm actually a dev, not a sysad, and I architect and maintain the cluster of servers we use for our dev environment - basically a simulacrum of the production environment but with the flexibility to change things around, run multiple copies of services, try out new stuff etc. As I'm actually mostly a dev I am trying to make the dev cluster environment approachable to the other devs so I'm not the only one who can spin up services, recover accidentally deleted data from backup, tweak admin settings etc.

As a result, I try to make all the admin interfaces easily available to make documentation and training easier :)

As an aside - of course, in this more open and dynamic environment some stuff still needs to be kept secret and out of reach of devs who might accidentally reveal important keys or, almost as bad, delete them. Hence my keen interest in vault integration :D

[magiconair]

The whole point of developing fabio was to forget about configuring the load balancer - and we do. We never touch it anymore. Our stuff just works.

Devs are in complete control what gets routed where once their services are configured properly in consul. Therefore, you only need to look at the admin console for blue/green deployments or weighted routing which happens during larger refactorings which shouldn't happen that often I guess.