Merge pull request #10834 from jkirschner-hashicorp/improve-docs-configure-ui-https
docs: give tutorials links for securing UI access
This commit is contained in:
commit
2798b3e02f
|
@ -275,16 +275,22 @@ environment and adapt these configurations accordingly.
|
||||||
- **Secure UI Access** - Access to Consul’s builtin UI can be secured in various ways:
|
- **Secure UI Access** - Access to Consul’s builtin UI can be secured in various ways:
|
||||||
|
|
||||||
- **mTLS** - Enabling the HTTPS with mutual TLS authentication is recommended, but requires extra tooling to terminate
|
- **mTLS** - Enabling the HTTPS with mutual TLS authentication is recommended, but requires extra tooling to terminate
|
||||||
the mTLS connection, preferably on an operator's local machine using a proxy script.
|
the mTLS connection, preferably on an operator's local machine using a proxy script. To do this, follow the tutorial on
|
||||||
|
[Configuring the Consul UI for HTTPS](https://learn.hashicorp.com/tutorials/consul/tls-encryption-openssl-secure#configure-the-consul-ui-for-https)
|
||||||
|
and in Step 2 use "Option 1: add a client certificate to your browser".
|
||||||
|
|
||||||
- **TLS** - Enabling the HTTPS is recommended where mTLS may not be required for UI access, such as when ACLs are
|
- **TLS** - Enabling the HTTPS is recommended where mTLS may not be required for UI access, such as when ACLs are
|
||||||
configured with a default deny.
|
configured with a default deny. To do this, follow the tutorial on
|
||||||
|
[Configuring the Consul UI for HTTPS](https://learn.hashicorp.com/tutorials/consul/tls-encryption-openssl-secure#configure-the-consul-ui-for-https)
|
||||||
|
and in Step 2 use "Option 2: verify_incoming_rpc".
|
||||||
|
|
||||||
- **ACL** - ACLs with a default deny policy enables safer UI access by preventing unauthorized access to sensitive
|
- **ACL** - ACLs with a default deny policy enables safer UI access by preventing unauthorized access to sensitive
|
||||||
components within the cluster.
|
components within the cluster. To do this, follow the tutorial on
|
||||||
|
[Securing Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production),
|
||||||
|
which includes a section on [creating ACL tokens that provide a desired level UI access](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#consul-ui-token).
|
||||||
|
|
||||||
- **Restrict HTTP Writes** - Using the allow_write_http_from configuration option enables agent endpoints restricting
|
- **Restrict HTTP Writes** - Using the [`allow_write_http_from`](/docs/agent/options#allow_write_http_from)
|
||||||
write capabilities to a list of CIDRs.
|
configuration option to restrict write access for agent endpoints to hosts on the specified list of CIDRs.
|
||||||
|
|
||||||
**Example Agent Configuration**
|
**Example Agent Configuration**
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue