github.com/outbrain/consul@v1.4.5/website/source/docs/connect/dev.html.md

github.com/outbrain/consul@v1.4.5/website/source/docs/connect/dev.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Connect - Development and Debugging"
     4  sidebar_current: "docs-connect-dev"
     5  description: |-
     6    It is often necessary to connect to a service for development or debugging. If a service only exposes a Connect listener, then we need a way to establish a mutual TLS connection to the service. The `consul connect proxy` command can be used for this task on any machine with access to a Consul agent (local or remote).
     7  ---
     8  
     9  # Developing and Debugging Connect Services
    10  
    11  It is often necessary to connect to a service for development or debugging.
    12  If a service only exposes a Connect listener, then we need a way to establish
    13  a mutual TLS connection to the service. The
    14  [`consul connect proxy` command](/docs/commands/connect/proxy.html) can be used
    15  for this task on any machine with access to a Consul agent (local or remote).
    16  
    17  Restricting access to services only via Connect ensures that the only way to
    18  connect to a service is through valid authorization of the
    19  [intentions](/docs/connect/intentions.html). This can extend to developers
    20  and operators, too.
    21  
    22  ## Connecting to Connect-only Services
    23  
    24  As an example, let's assume that we have a PostgreSQL database running that
    25  we want to connect to via `psql`, but the only non-loopback listener is
    26  via Connect. Let's also assume that we have an ACL token to identify as
    27  `operator-mitchellh`. We can start a local proxy:
    28  
    29  ```sh
    30  $ consul connect proxy \
    31    -service operator-mitchellh \
    32    -upstream postgresql:8181
    33  ```
    34  
    35  This works because the source `-service` does not need to be registered
    36  in the local Consul catalog. However, to retrieve a valid identifying
    37  certificate, the ACL token must have `service:write` permissions. This
    38  can be used as a sort of "virtual service" to represent people, too. In
    39  the example above, the proxy is identifying as `operator-mitchellh`.
    40  
    41  With the proxy running, we can now use `psql` like normal:
    42  
    43  ```
    44  $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
    45  >
    46  ```
    47  
    48  This `psql` session is now happening through our local proxy via an
    49  authorized mutual TLS connection to the PostgreSQL service in our Consul
    50  catalog.
    51  
    52  ### Masquerading as a Service
    53  
    54  You can also easily masquerade as any source service by setting the
    55  `-service` value to any service. Note that the proper ACL permissions are
    56  required to perform this task.
    57  
    58  For example, if you have an ACL token that allows `service:write` for
    59  `web` and you want to connect to the `postgresql` service as "web", you
    60  can start a proxy like so:
    61  
    62  ```sh
    63  $ consul connect proxy \
    64    -service web \
    65    -upstream postgresql:8181
    66  ```
    67