consul connect redirect-traffic

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.

Other

28.4k stars 4.43k forks source link

curl -k https://127.0.0.1:8501/v1/agent/service/register \ --header "X-Consul-Token: ********-****-****-****-************" \ --request PUT \ --data '{ "id": "demo-one-0", "name": "demo-one", "port": 8081, "connect": { "sidecar_service": { "proxy": { "mode": "transparent", "transparent_proxy": { "OutboundListenerPort": 15001, "DialedDirectly": true } } } }, "check": { "http": "http://192.168.103.238:8081/health", "method": "GET", "interval": "1s", "timeout": "1s" } }'

I don`t understand this proxy-uid or how to do?

Transparent proxy works by installing iptables rules that redirect all inbound and outbound traffic to Envoy. Envoy itself must not be subject to this redirection, otherwise when it initiate an outgoing connection, the connection would be redirected back to itself.

In order to avoid this redirect loop, Envoy must run under a different Unix user account than the account used to spawn the application. The -proxy-uid allows you to specify the Unix user identifier under which the proxy is running so that the UID can be exempted from traffic redirection.

my case is ： curl demo-one/demo ， and demo-one will access demo-two by transparent_proxy

in the VM , I want springboot project : demo-one ----> demo-two

This should be easier to accomplish with Consul 1.11 by accessing the service using the new virtual IP service lookup (e.g., curl demo-two.virtual.consul/demo) and by using the following connect_service config in the service registrations.

{
  "connect": {
    "sidecar_service": {
      "proxy": {
        "mode": "transparent"
      }
    }
  }
}

hashicorp / consul

consul connect redirect-traffic #11038