Consul + Fabio + Your App

+ Your Application

Background

Note:

Basic structure:

Configure Consul server cluster

Consul Config

{
"bind_addr": "10.185.20.180",
"client_addr": "0.0.0.0",
"data_dir": "/var/consul",
"server": true,
"ui": true,
"bootstrap": true,
"retry_join": ["10.185.20.179","10.185.20.180"],
"datacenter": "mrx",
"enable_script_checks": true,
"encrypt": "UAvkAzdjGfQ7J2NlgkrJMA==",
"enable_syslog": true,
"addresses": {
"http": "10.185.20.180",
"dns": "10.185.20.180"
},
"dns_config": {
"allow_stale": true,
"max_stale": "30s",
"node_ttl": "30s",
"enable_truncate": true,
"only_passing": true
},
"acl_datacenter": "mrx",
"acl_down_policy": "extend-cache",
"acl_default_policy": "allow",
"acl_master_token": "dbef8b5a-6110-4575-bf61-dda1c21ca339"
}

Startup Service

vim /usr/lib/systemd/system/consul.service[Unit]
Description=Consul service discovery agent
Requires=network-online.target
After=network.target
[Service]
User=consul
Group=consul
Restart=on-failure
ExecStartPre=[ -f "/var/consul/consul.pid" ] && /usr/bin/rm -f /var/consul/consul.pid
ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d -config-file=/etc/consul.d/server/consul.json
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGINT
TimeoutStopSec=5
[Install]
WantedBy=multi-user.target

systemctl enable consul.service
systemctl daemon-reload
systemctl start consul.service

Create ACL on Consul cluster

Configure Consul agent on each Pong instance

{   
"bind_addr": "10.185.20.173",
"data_dir": "/var/consul",
"ui": false,
"bootstrap": false,
"server": false,
"start_join": ["10.185.20.179","10.185.20.180"],
"datacenter": "mrx",
"encrypt": "UAvkAzdjGfQ7J2NlgkrJMA==",
"enable_syslog": false,
"enable_script_checks": true,
"pid_file": "/var/consul/consul.pid",
"acl_token": "548bb56f-33c9-622a-4351-1a04851ebb1a"
}

Service Health Check

{
"service": {
"name": "pong",
"status": "critical",
"check": {
"service_id": "pong",
"interval": "10s",
"script": "/usr/bin/netstat -an | grep 8300 | grep LISTEN"
},
"port": 8300,
"tags": ["pong"]
}
}

Fabio config

useradd -M -d /opt/fabio -s /sbin/nologin fabio
mkdir -p /opt/fabio/bin

Fabio Properties

# These two lines are example of running fabio with HTTPS certificates#proxy.cs = cs=lb;type=file;cert=/opt/fabio/certs.d/mydomain_com.ca-bundle.crt;key=/opt/fabio/certs.d/mydomain_com.key#proxy.addr = :443;cs=lb;tlsmin=tls11;tlsmax=tls12;tlsciphers="0xc02f,0x9f,0xc030,0xc028,0xc014,0x6b,0x39,0x009d,0x0035",#             :80
proxy.addr = :9999
proxy.header.tls = Strict-Transport-Security
proxy.header.tls.value = "max-age=63072000; includeSubDomains"
ui.addr = 10.185.20.180:9998
ui.access = ro
runtime.gogc = 800
log.access.target = stdout
log.access.format = - - [] "" ".Referer" ".User-Agent" "" "" "" ""
log.access.level = INFO
registry.consul.addr = 10.185.20.180:8500
proxy.maxconn = 20000
cat <<EOF > /etc/systemd/system/fabio.service
[Unit]
Description=Fabio Proxy
After=syslog.target
After=network.target

[Service]
LimitMEMLOCK=infinity
LimitNOFILE=65535

Type=simple
WorkingDirectory=/opt/fabio
Restart=always
ExecStart=/opt/fabio/bin/fabio -cfg fabio.properties

# Log to syslog with identifier for syslog to process
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=fabio

# No need that fabio messes with /dev
PrivateDevices=yes

# Dedicated /tmp
PrivateTmp=yes

# Make /usr, /boot, /etc read only
ProtectSystem=full

# /home is not accessible at all
ProtectHome=yes

# You will have to run “setcap ‘cap_net_bind_service=+ep’ /opt/fabio/bin/fabio”
# to be able to bind ports under 1024. This directive allows it to happen:
AmbientCapabilities=CAP_NET_BIND_SERVICE

# Only ipv4, ipv6, unix socket and netlink networking is possible
# Netlink is necessary so that fabio can list available IPs on startup
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

# Unprivileged user
User=fabio
Group=fabio

[Install]
WantedBy=multi-user.target
EOF

Fabio Routes

Apache service check

{
"service": {
"name": "apache-svc",
"status": "critical",
"check": {
"service_id": "apache-svc",
"interval": "10s",
"script": "/usr/bin/systemctl status httpd.service"
},
"port": 80,
"tags": ["urlprefix-/"]
}
}

Test Routes

Fabio adds 2 routes, Pong and Apache. I turned off Apache service, Fabio instantly removes Apache route (minus sign)