best way to bypass fabio consul integration?

[holtwilkins]

Hey there, we're running Fabio 1.5.6-go1.9.2 and Consul 1.0.3.

Our logs lately are filled with

Feb 08 07:17:12 ip-10-2-211-82 consul[3725]:     2018/02/08 07:17:12 [ERR] consul: "KVS.Get" RPC failed to server 10.2.210.211:8300: rpc error making call: Permission denied
Feb 08 07:17:12 ip-10-2-211-82 consul[3725]:     2018/02/08 07:17:12 [ERR] http: Request GET /v1/kv/fabio/config?consistent=, error: rpc error making call: Permission denied from=127.0.0.1:53538
Feb 08 07:17:12 ip-10-2-211-82 consul[3725]:     2018/02/08 07:17:12 [ERR] consul: "KVS.Get" RPC failed to server 10.2.211.111:8300: rpc error making call: rpc error making call: Permission denied
Feb 08 07:17:12 ip-10-2-211-82 consul[3725]:     2018/02/08 07:17:12 [ERR] http: Request GET /v1/kv/fabio/noroute.html?consistent=, error: rpc error making call: rpc error making call: Permission denied from=127.0.0.1:53630
Feb 08 07:17:13 ip-10-2-211-82 consul[3725]:     2018/02/08 07:17:13 [ERR] consul: "KVS.Get" RPC failed to server 10.2.210.111:8300: rpc error making call: rpc error making call: Permission denied```

I'd rather not give fabio a consul ACL token to keep fabio nice and simple.  Is there a way I can tell it to not look for these things in consul?  I may very well convert the `noroute` page to be a file on disk, but how about the config?  Ideally there's a global "don't try to look up things in consul KV so my logs don't get spammed" flag?

[magiconair]

Is fabio still using consul for service discovery?

[magiconair]

fabio can use a file registry but my guess is that this isn't what you're looking for.

http://fabiolb.net/ref/registry.file.path/

[holtwilkins]

It is still using consul for service discovery. Your question made me realise though that I have service “” readable by anonymous , so I could just do the same thing for /fabio/, is that the recommended approach for using fabio with acls?

[magiconair]

Fabio needs access to the catalog and the registry.consul.kvpath prefix in the KV store. You can either provide an ACL token or give it read and list permissions. list should be required as of 1.5.7 since fabio will then use all sub keys as well.

[magiconair]

If you have a working example I can add that to the docs: http://fabiolb.net/ref/registry.consul.kvpath/

[holtwilkins]

So, I've tried adding read to fabio/ as well as pointing to another path which already definitely has anonymous read, and I'm still getting lots of permission denied in the consul logs.

Ideally I can just turn off this integration altogether, and make fabio only use consul for service discovery, and not try to lookup anything in the consul kv - is this possible?

[magiconair]

Right now it isn't but I could allow an empty registry.backend.consul.kvpath to disable this. However, I still think that this should be possible with the right ACLs. @slackpad, can you help out?

FWIW, I've tried this:

$ curl
   --request PUT
   --header "X-Consul-Token: secret"
   --data '{
  "ID": "anonymous",
  "Type": "client",
  "Rules": "node \"\" {policy = \"read\"} service \"consul\" {policy = \"read\"} service \"fabio\" {policy = \"write\"} key \"fabio/config\" {policy = \"write\"} agent \"\" {policy = \"read\"}"
}' http://127.0.0.1:8500/v1/acl/update

[holtwilkins]

Yup, still not working for me. I think an empty registry.backend.consul.kvpath sounds good for the config bit, what about the noroutehtml page, how do I disable that one?

I do have acl_enforce_version_8 = false and acl_default_policy = "deny" set in my consul configs, if that's helpful.

I've tried setting the following anonymous acl policy:

root@ip-10-2-211-215:~# curl http://127.0.0.1:8500/v1/acl/info/anonymous?token=${ACL_MASTER_TOKEN}
[{"ID":"anonymous","Name":"Anonymous Token","Type":"client","Rules":"key \"deploy/\" { policy = \"read\"} service \"\" { policy = \"read\"} key \"fabio/config\" {  policy = \"read\"} key \"fabio/\" {  policy = \"read\" } agent \"\" {  policy = \"read\"} node \"\" {  policy = \"read\"}","CreateIndex":4,"ModifyIndex":19587932}]

And my logs are still flooded:

Feb 14 05:49:20 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:20 [ERR] http: Request GET /v1/kv/fabio/noroute.html?consistent=, error: rpc error making call: rpc error making call: Permission denied from=127.0.0.1:44383
Feb 14 05:49:20 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:20 [ERR] consul: "KVS.Get" RPC failed to server 10.2.210.100:8300: rpc error making call: rpc error making call: Permission denied
Feb 14 05:49:20 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:20 [ERR] http: Request GET /v1/kv/fabio/config?consistent=, error: rpc error making call: rpc error making call: Permission denied from=127.0.0.1:44382
Feb 14 05:49:21 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:21 [ERR] consul: "KVS.Get" RPC failed to server 10.2.211.100:8300: rpc error making call: Permission denied
Feb 14 05:49:21 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:21 [ERR] http: Request GET /v1/kv/fabio/noroute.html?consistent=, error: rpc error making call: Permission denied from=127.0.0.1:44389
Feb 14 05:49:21 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:21 [ERR] consul: "KVS.Get" RPC failed to server 10.2.210.201:8300: rpc error making call: rpc error making call: Permission denied
Feb 14 05:49:21 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:21 [ERR] http: Request GET /v1/kv/fabio/config?consistent=, error: rpc error making call: rpc error making call: Permission denied from=127.0.0.1:44388
Feb 14 05:49:22 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:22 [ERR] consul: "KVS.Get" RPC failed to server 10.2.210.100:8300: rpc error making call: rpc error making call: Permission denied
Feb 14 05:49:22 ip-10-2-211-215 consul[2985]:     2018/02/14 05:49:22 [ERR] http: Request GET /v1/kv/fabio/noroute.html?consistent=, error: rpc error making call: rpc error making call: Permission denied from=127.0.0.1:44397

[magiconair]

I'm pretty sure that this should work. I've asked an ex-colleague of mine for advice and will try myself a bit more. If all fails I'll add your suggestion.

[magiconair]

I've tried that and don't get the log messages.

rm -rf data ; consul agent --config-file master.hcl

$ cat master.hcl
acl_datacenter = "dc1"
acl_default_policy = "deny"
acl_down_policy = "deny"
acl_master_token = "secret"
acl_enforce_version_8 = false
data_dir = "data"
server = true
bootstrap = true

curl -XPUT -d '{"ID":"anonymous","Name":"Anonymous Token","Type":"client","Rules":"key \"deploy/\" { policy = \"read\"} service \"\" { policy = \"read\"} key \"fabio/config\" {  policy = \"read\"} key \"fabio/\" {  policy = \"read\" } agent \"\" {  policy = \"read\"} node \"\" {  policy = \"read\"}"}' http://127.0.0.1:8500/v1/acl/update?token=secret

# start fabio
./fabio

I get this in the logs though:

2018/02/14 09:43:01 [WARN] agent: Service "fabio-frankbook.local-9998" registration blocked by ACLs
2018/02/14 09:43:02 [WARN] agent: Check "service:fabio-frankbook.local-9998" registration blocked by ACLs

[holtwilkins]

Ah of course. This is because fabio is running from nomad, in docker, in host networking mode. Since consul acls don’t stack, the one I need to change is the one for nomad, not anonymous. I’ll do this tomorrow, but yeah, I’m pretty sure this is it.

[holtwilkins]

Yup, confirmed that adding

key "fabio/" {
  policy = "read"
}

To my worker's ACL token fixed all the errors in the logs. Not sure if you want to alter documentation or just close this issue, but thanks for you help @magiconair !

[magiconair]

I’d like to add that to the docs

[holtwilkins]

While you're at it @magiconair , I also noticed that the fabio.properties and docs/content/ref/registry.consul.noroutehtmlpath.md docs says the default for registry.consul.noroutehtmlpath is /fabio/noroutes.html, but it's actually /fabio/noroute.html as per config/default.go

[magiconair]

Done. Thanks! — Frank Schröder

…

On 20. Feb 2018, at 07:38, holtwilkins ***@***.***> wrote: While you're at it @magiconair , I also noticed that the fabio.properties and docs/content/ref/registry.consul.noroutehtmlpath.md docs says the default for registry.consul.noroutehtmlpath is /fabio/noroutes.html, but it's actually /fabio/noroutes.html as per config/default.go — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.