The client certificate from the inbound connection must be validated against the Connect CA root certificates. Call the [`/v1/agent/connect/ca/roots`] endpoint to obtain the root certificates from the Connect CA, e.g.:
</CodeBlockConfig>
```shell-session
The client certificate from the inbound connection must be validated against the Connect CA root certificates. Call the [`/v1/agent/connect/ca/roots`] endpoint to obtain the root certificates from the Connect CA, e.g.:
After validating the client certificate from the caller, the proxy can authorize the entire connection (L4) or each request (L7). Depending upon the [protocol] of the proxied service, authorization is performed either on a per-connection (L4) or per-request (L7) basis. Authentication is based on "service identity" (TLS), and is implemented at the
@ -176,7 +180,7 @@ Alternatively, you may also use the flags `-token` or `-token-file` to provide t
<CodeBlockConfig language="shell-session">
```shell
consul connect envoy -sidecar-for "web" -token-file=/etc/consul.d/consul.token
$ consul connect envoy -sidecar-for "web" -token-file=/etc/consul.d/consul.token
```
</CodeBlockConfig>
@ -184,7 +188,7 @@ Alternatively, you may also use the flags `-token` or `-token-file` to provide t
<CodeBlockConfig >
```shell
$ consul connect proxy -sidecar-for "web" -token-file=/etc/consul.d/consul.token
$ consul connect proxy -sidecar-for "web" -token-file=/etc/consul.d/consul.token
mrspanishviking
3 years ago
committed by