github.com/KyaXTeam/consul@v1.4.5/website/source/docs/connect/proxies/integrate.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Connect - Proxy Integration" 4 sidebar_current: "docs-connect-proxies-integrate" 5 description: |- 6 A Connect-aware proxy enables unmodified applications to use Connect. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically wrapping and verifying TLS connections. 7 --- 8 9 # Connect Custom Proxy Integration 10 11 Any proxy can be extended to support Connect. Consul ships with a built-in 12 proxy for a good development and out of the box experience, but understand 13 that production users will require other proxy solutions. 14 15 A proxy must serve one or both of the following two roles: it must accept 16 inbound connections or establish outbound connections identified as a 17 particular service. One or both of these may be implemented depending on 18 the case, although generally both must be supported. 19 20 ## Accepting Inbound Connections 21 22 For inbound connections, the proxy must accept TLS connections on some port. 23 The certificate served should be created by the 24 [`/v1/agent/connect/ca/leaf/`](/api/agent/connect.html) API endpoint. 25 The client certificate should be validated against the root certificates 26 provided by the 27 [`/v1/agent/connect/ca/roots`](/api/agent/connect.html) endpoint. 28 After validating the client certificate from the caller, the proxy should 29 call the 30 [`/v1/agent/connect/authorize`](/api/agent/connect.html) endpoint to 31 authorize the connection. 32 33 All of these API endpoints operate on agent-local data that is updated 34 in the background. The leaf and roots should be updated in the background 35 by the proxy, but the authorize endpoint is expected to be called in the 36 connection path. The endpoints introduce only microseconds of additional 37 latency on the connection. 38 39 The leaf and root cert endpoints support blocking queries. These should be 40 used if possible to get near-immediate updates for root cert rotations, 41 leaf expiry, etc. 42 43 ## Establishing Outbound Connections 44 45 For outbound connections, the proxy should communicate to a 46 Connect-capable endpoint for a service and provide a client certificate 47 from the 48 [`/v1/agent/connect/ca/leaf/`](/api/agent/connect.html) API endpoint. 49 The certificate served by the remote endpoint can be verified against the 50 root certificates from the 51 [`/v1/agent/connect/ca/roots`](/api/agent/connect.html) endpoint. 52 53 ## Configuration Discovery 54 55 Any proxy can discover proxy configuration registered with a local service 56 instance using the [agent/service/:service_id 57 endpoint](/api/agent/service.html#get-service-configuration). 58