|
|
|
@ -143,25 +143,24 @@ environment and adapt these configurations accordingly.
|
|
|
|
**Example Client Agent TLS Configuration**
|
|
|
|
**Example Client Agent TLS Configuration**
|
|
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
```hcl
|
|
|
|
tls {
|
|
|
|
tls {
|
|
|
|
defaults {
|
|
|
|
defaults {
|
|
|
|
verify_incoming = false
|
|
|
|
verify_incoming = false
|
|
|
|
verify_outgoing = true
|
|
|
|
verify_outgoing = true
|
|
|
|
ca_file = "consul-agent-ca.pem"
|
|
|
|
ca_file = "consul-agent-ca.pem"
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
internal_rpc {
|
|
|
|
|
|
|
|
verify_server_hostname = true
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
internal_rpc {
|
|
|
|
auto_encrypt {
|
|
|
|
verify_server_hostname = true
|
|
|
|
tls = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
auto_encrypt {
|
|
|
|
|
|
|
|
tls = true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
-> The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/config/config-files#tls_defaults_verify_incoming)
|
|
|
|
-> **Note**: The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/config/config-files#tls_defaults_verify_incoming)
|
|
|
|
to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration
|
|
|
|
to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration
|
|
|
|
would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications
|
|
|
|
would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications
|
|
|
|
using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would
|
|
|
|
using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would
|
|
|
|
|
Karl Cardenas
3 years ago