github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix relative links

pull/4275/head
Paul Banks 2018-06-13 17:34:18 +01:00 committed by Jack Pearkes
parent 20a6a40216
commit 959f0c612c
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
website/source/docs/guides/connect-production.md
View File

@ -55,7 +55,7 @@ service is allowed to access.
A secure ACL setup must meet these criteria:
1. **[ACL default
policy](https://private-docs.consul.io/docs/agent/options.html#acl_default_policy)
policy](/docs/agent/options.html#acl_default_policy)
must be `deny`.** It is technically sufficient to keep the default policy of
`allow` but add an explicit ACL denying anonymous `service:write`. Note
however that in this case the Connect intention graph will also default to
@ -155,12 +155,12 @@ configure host or network firewalls to allow incoming connections to proxy
ports.
In addition to Consul agent's [communication
ports](https://private-docs.consul.io/docs/agent/options.html#ports) any
ports](/docs/agent/options.html#ports) any
[managed proxies](/docs/connect/proxies.html#managed-proxies) will need to have
ports open to accept incoming connections.
Consul will by default assign them ports from [a configurable
range](https://private-docs.consul.io/docs/agent/options.html#ports) the default
range](/docs/agent/options.html#ports) the default
range is 20000 - 20255. If this feature is used, the agent assumes all ports in
that range are both free to use (no other processes listening on them) and are
exposed in the firewall to accept connections from other service hosts.
@ -169,7 +169,7 @@ Alternatively, managed proxies can have their public ports specified as part of
the [proxy configuration](#TODO) in the service registration. It is possible to use
this exclusively and prevent automated port selection by [configuring
`proxy_min_port` and
`proxy_max_port`](https://private-docs.consul.io/docs/agent/options.html#ports)
`proxy_max_port`](/docs/agent/options.html#ports)
to both be `0`, forcing any managed proxies to have an explicit port configured.
It then becomes the same problem as opening ports necessary for any other
@ -184,12 +184,12 @@ For on-disk configuration the `token` parameter of the service definition must
be set.
For registration via the API [the token is passed in the request
header](https://private-docs.consul.io/api/index.html#acls) or by using the [Go
header](/api/index.html#acls) or by using the [Go
client configuration](https://godoc.org/github.com/hashicorp/consul/api#Config).
Note that by default API registration will not allow managed proxies to be
configured since it potentially opens a remote execution vulnerability if the
agent API endpoints are publicly accessible. This can be [configured
per-agent](https://private-docs.consul.io/docs/agent/options.html#connect_proxy).
per-agent](/docs/agent/options.html#connect_proxy).
For examples of service definitions with managed or unmanaged proxies see
[proxies documentation](/docs/connect/proxies.html#managed-proxies).