github.com/KyaXTeam/consul@v1.4.5/website/source/docs/connect/proxies/integrate.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Connect - Proxy Integration"
     4  sidebar_current: "docs-connect-proxies-integrate"
     5  description: |-
     6    A Connect-aware proxy enables unmodified applications to use Connect. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically wrapping and verifying TLS connections.
     7  ---
     8  
     9  # Connect Custom Proxy Integration
    10  
    11  Any proxy can be extended to support Connect. Consul ships with a built-in
    12  proxy for a good development and out of the box experience, but understand
    13  that production users will require other proxy solutions.
    14  
    15  A proxy must serve one or both of the following two roles: it must accept
    16  inbound connections or establish outbound connections identified as a
    17  particular service. One or both of these may be implemented depending on
    18  the case, although generally both must be supported.
    19  
    20  ## Accepting Inbound Connections
    21  
    22  For inbound connections, the proxy must accept TLS connections on some port.
    23  The certificate served should be created by the
    24  [`/v1/agent/connect/ca/leaf/`](/api/agent/connect.html) API endpoint.
    25  The client certificate should be validated against the root certificates
    26  provided by the
    27  [`/v1/agent/connect/ca/roots`](/api/agent/connect.html) endpoint.
    28  After validating the client certificate from the caller, the proxy should
    29  call the
    30  [`/v1/agent/connect/authorize`](/api/agent/connect.html) endpoint to
    31  authorize the connection.
    32  
    33  All of these API endpoints operate on agent-local data that is updated
    34  in the background. The leaf and roots should be updated in the background
    35  by the proxy, but the authorize endpoint is expected to be called in the
    36  connection path. The endpoints introduce only microseconds of additional
    37  latency on the connection.
    38  
    39  The leaf and root cert endpoints support blocking queries. These should be
    40  used if possible to get near-immediate updates for root cert rotations,
    41  leaf expiry, etc.
    42  
    43  ## Establishing Outbound Connections
    44  
    45  For outbound connections, the proxy should communicate to a
    46  Connect-capable endpoint for a service and provide a client certificate
    47  from the
    48  [`/v1/agent/connect/ca/leaf/`](/api/agent/connect.html) API endpoint.
    49  The certificate served by the remote endpoint can be verified against the
    50  root certificates from the
    51  [`/v1/agent/connect/ca/roots`](/api/agent/connect.html) endpoint.
    52  
    53  ## Configuration Discovery
    54  
    55  Any proxy can discover proxy configuration registered with a local service
    56  instance using the [agent/service/:service_id
    57  endpoint](/api/agent/service.html#get-service-configuration).
    58