Hachicorp Consul: Server configuration for production

刚开始建置PRD环境时，总会怕漏设定了甚麽，一段时间的经验累积後，总算有个样子了，纪录让想使用的人参考。

server = true
bootstrap_expect = 3
ui = true

ui_config {
  enable = true
  dir = "/consul/data/ui/"
  base_url "aaa.bbb.com"
}

acl {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  policy_ttl = 30s
  role_ttl = 30s
  token_ttl = 30s
  
  tokens {
    default = "xxx-xxx-xxx-xxx"
    agent = "xxx-xxx-xxx-xxx"
  }
}

datacenter = "east-aws"
data_dir = "/consul/data"
disable_update_check = true

node_name = "consul01"
client_addr = "10.x.x.x"
bind_addr = "10.x.x.x"
advertise_addr = "10.x.x.x"
verify_incoming = true
verify_outgoing = true
verify_incoming_https = true
verify_server_hostname = true
ca_file = "/consul/ssl/ca.cer"
cert_file = "/consul/ssl/cert.cer"
key_file = "/consul/ssl/key.key"

auto_encrypt{
  allow_tls = true
}

connect {
  enabled = true
}

limits {
  http_max_conns_per_client = 600
  https_handshake_timeout = 6s
  rpc_handshake_timeout = 6s
  rpc_max_conns_per_client = 100
}

addresses {
  dns = "10.x.x.x"
  http = "10.x.x.x"
  https = "10.x.x.x"
  grpc = "10.x.x.x"
}

ports {
  dns = 53
  http = 8500
  https = 8501
  grpc = 8502
}

audit {
  enabled = true
  sink "consul sink" {
    type   = "file"
    format = "json"
    path   = "/consul/data/audit/audit.json"
    delivery_guarantee = "best-effort"
    rotate_duration = "1h"
    rotate_max_files = 48
  }
}

http_config {
  use_cache = true
  allow_write_http_from = ["127.0.0.1/8"]
  block_endpoints = ["/v1/acl/create","/v1/acl/update"]
  allow_write_http_from = ["127.0.0.0/8","10.x.x.x/16"]
}

domain = "aaa.bbb.com"
retry_join  = ["10.x.x.x","10.x.x.x","10.x.x.x"]
retry_interval = "20s"

log_level = "DEBUG"
log_file = "/consul/logs/consul.log"
log_rotate_duration = "24h"
log_rotate_max_files = 14

performance {
  raft_multiplier = 1
}

telemetry {
  prometheus_retention_time = "10s"
  disable_hostname = false
}

enable_local_script_checks = true