From 79aabd0b9e10a154d805b0ef5ce01ca3517f0e03 Mon Sep 17 00:00:00 2001
From: James Phillips <james@hashicorp.com>
Date: Thu, 17 Dec 2015 06:42:07 -0800
Subject: [PATCH] Makes the insecure transport work like the default one.

---
 api/api.go | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/api/api.go b/api/api.go
index 51b73b483..f34fafbf6 100644
--- a/api/api.go
+++ b/api/api.go
@@ -123,13 +123,21 @@ type Config struct {
 	Token string
 }
 
+// defaultHttpClient is a shared client instance that is used to prevent apps
+// that create multiple clients from opening multiple connections, which would
+// leak file descriptors.
 var defaultHttpClient = cleanhttp.DefaultClient()
 
-var defaultInsecureTransport = &http.Transport{
-	TLSClientConfig: &tls.Config{
+// defaultInsecureTransport is a shared transport that will get injected into
+// the defaultHttpClient if the CONSUL_HTTP_SSL_VERIFY environment variable is
+// set to true.
+var defaultInsecureTransport = func() *http.Transport {
+	trans := cleanhttp.DefaultTransport()
+	trans.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: true,
-	},
-}
+	}
+	return trans
+}()
 
 // DefaultConfig returns a default configuration for the client
 func DefaultConfig() *Config {
@@ -193,7 +201,13 @@ type Client struct {
 	config Config
 }
 
+// unixClients contains a set of shared UNIX socket clients, indexed by address.
+// These shared instances are used to prevent apps that create multiple clients
+// from opening multiple connections, which would leak file descriptors.
 var unixClients = make(map[string]*http.Client)
+
+// unixClientsLock serializes access to the unixClients map, since most users
+// would expect NewClient to be thread-safe.
 var unixClientsLock sync.Mutex
 
 // NewClient returns a new client