|
|
|
@ -143,25 +143,24 @@ environment and adapt these configurations accordingly. |
|
|
|
**Example Client Agent TLS Configuration** |
|
|
|
**Example Client Agent TLS Configuration** |
|
|
|
|
|
|
|
|
|
|
|
```hcl |
|
|
|
```hcl |
|
|
|
tls { |
|
|
|
tls { |
|
|
|
defaults { |
|
|
|
defaults { |
|
|
|
verify_incoming = false |
|
|
|
verify_incoming = false |
|
|
|
verify_outgoing = true |
|
|
|
verify_outgoing = true |
|
|
|
ca_file = "consul-agent-ca.pem" |
|
|
|
ca_file = "consul-agent-ca.pem" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
internal_rpc { |
|
|
|
|
|
|
|
verify_server_hostname = true |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
internal_rpc { |
|
|
|
auto_encrypt { |
|
|
|
verify_server_hostname = true |
|
|
|
tls = true |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
auto_encrypt { |
|
|
|
|
|
|
|
tls = true |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
``` |
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
-> The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/config/config-files#tls_defaults_verify_incoming) |
|
|
|
-> **Note**: The client agent TLS configuration from above sets [`verify_incoming`](/docs/agent/config/config-files#tls_defaults_verify_incoming) |
|
|
|
to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration |
|
|
|
to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration |
|
|
|
would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications |
|
|
|
would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications |
|
|
|
using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would |
|
|
|
using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would |
|
|
|
|
Karl Cardenas
3 years ago