mirror of https://github.com/hashicorp/consul
46 lines
3.6 KiB
Markdown
46 lines
3.6 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Use JWTs to verify requests to API gateways on virtual machines
|
|
description: Learn how to use JSON web tokens (JWT) to verify requests from external clients to listeners on an API gateway.
|
|
---
|
|
|
|
# Use JWTs to verify requests to API gateways on virtual machines
|
|
|
|
This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways on virtual machines (VM). If your services are deployed to Kubernetes-orchestrated containers, refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s).
|
|
|
|
<EnterpriseAlert> This feature is available in Consul Enterprise. </EnterpriseAlert>
|
|
|
|
## Overview
|
|
|
|
You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels:
|
|
|
|
- Listener defaults: Define basic defaults that apply to all routes attached to a listener.
|
|
- HTTP route-specific settings: You can define JWT authentication settings for specific HTTP routes. Route-specific JWT settings override default configurations.
|
|
- Listener overrides: Define override settings that take precedence over default and route-specific configurations. This enables you to set enforceable policies for listeners.
|
|
|
|
Complete the following steps to use JWTs to verify requests:
|
|
|
|
1. Configure default and override settings for listeners in the API gateway configuration entry.
|
|
1. Define route-specific JWT verification settings as filters in the HTTP route configuration entries.
|
|
1. Write the configuration entries to Consul to begin verifying requests using JWTs.
|
|
|
|
## Requirements
|
|
|
|
- Consul 1.17 or later
|
|
- JWT details, such as claims and provider
|
|
|
|
## Configure default and override settings
|
|
|
|
Define default and override settings for JWT verification in the [API gateway configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway).
|
|
|
|
1. Add a `default.JWT` block to the listener that you want to apply JWT verification to. Consul applies these configurations to routes attached to the listener. Refer to the [`Listeners.default.JWT`](/consul/docs/connect/config-entries/api-gateway#listeners-default-jwt) configuration reference for details.
|
|
1. Add an `override.JWT` block to the listener that you want to apply JWT verification policies to. Consul applies these configurations to all routes attached to the listener, regardless of the `default` or route-specific settings. Refer to the [`Listeners.override.JWT`](/consul/docs/connect/config-entries/api-gateway#listeners-override-jwt) configuration reference for details.
|
|
1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write).
|
|
|
|
## Configure verification for specific HTTP routes
|
|
|
|
Define filters to enable route-specific JWT verification settings in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route).
|
|
|
|
1. Add a `JWT` configuration to the `rules.filter` block. Route-specific configurations that overlap the [default settings ](/consul/docs/connect/config-entries/api-gateway#listeners-default-jwt) in the API gateway configuration entry take precedence. Configurations defined in the [listener override settings](/consul/docs/connect/config-entries/api-gateway#listeners-override-jwt) take the highest precedence.
|
|
1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write).
|