diff --git a/website/source/docs/connect/configuration.html.md b/website/source/docs/connect/configuration.html.md
index de080fdaa..a7f992670 100644
--- a/website/source/docs/connect/configuration.html.md
+++ b/website/source/docs/connect/configuration.html.md
@@ -32,11 +32,6 @@ You may also configure Consul to use an external
[certificate management system](/docs/connect/ca.html), such as
[Vault](https://vaultproject.io).
--> **Security note:** Enabling Connect is enough to try the feature but doesn't
-automatically ensure complete security. Please read the [Connect production
-guide](/docs/guides/connect-production.html) to understand the additional steps
-needed for a secure deployment.
-
No agent-wide configuration is necessary for non-server agents. Services
and proxies may always register with Connect settings, but they will fail to
retrieve or verify any TLS certificates. This causes all Connect-based
@@ -45,9 +40,14 @@ connection attempts to fail until Connect is enabled on the server agents.
-> **Note:** Connect is enabled by default when running Consul in
dev mode with `consul agent -dev`.
+~> **Security note:** Enabling Connect is enough to try the feature but doesn't
+automatically ensure complete security. Please read the [Connect production
+guide](/docs/guides/connect-production.html) to understand the additional steps
+needed for a secure deployment.
+
## Built-In Proxy Options
-This is complete example of all the configuration options available for the
+This is a complete example of all the configuration options available for the
built-in proxy. Note that only the `service.connect.proxy.config` map is being
described here, the rest of the service definition is shown for context and is
[described elsewhere](/docs/connect/proxies.html#managed-proxies).
@@ -94,47 +94,42 @@ described here, the rest of the service definition is shown for context and is
range](/docs/agent/options.html#proxy_min_port) if available. By default the
range is [20000, 20255] and the port is selected at random from that range.
-* `local_service_address`
- - The `[address]:port` that the proxy should use to connect to the
- local application instance. By default it assumes `127.0.0.1` as the address
- and takes the port from the service definition's `port` field. Note that
- allowing the application to listen on any non-loopback address may expose it
- externally and bypass Connect's access enforcement. It may be useful though
- to allow non-standard loopback addresses or where an alternative
- known-private IP is available for example when using internal networking
- between containers.
+* `local_service_address` - The
+ `[address]:port` that the proxy should use to connect to the local application
+ instance. By default it assumes `127.0.0.1` as the address and takes the port
+ from the service definition's `port` field. Note that allowing the application
+ to listen on any non-loopback address may expose it externally and bypass
+ Connect's access enforcement. It may be useful though to allow non-standard
+ loopback addresses or where an alternative known-private IP is available for
+ example when using internal networking between containers.
-* `local_connect_timeout_ms`
- - The number of milliseconds the proxy will wait to establish a
- connection to the _local application_ before giving up. Defaults to `1000`
- or 1 second.
+* `local_connect_timeout_ms` - The number
+ of milliseconds the proxy will wait to establish a connection to the _local
+ application_ before giving up. Defaults to `1000` or 1 second.
-* `handshake_timeout_ms`
- - The number of milliseconds the proxy will wait for _incoming_ mTLS
- connections to complete the TLS handshake. Defaults to `10000` or 10
- seconds.
+* `handshake_timeout_ms` - The
+ number of milliseconds the proxy will wait for _incoming_ mTLS connections to
+ complete the TLS handshake. Defaults to `10000` or 10 seconds.
-* `upstreams`
- - An array of upstream definitions for remote services that the proxied
- application needs to make outgoing connections to. Each definition has the
- following fields:
- * `destination_name`
- - [required] The name of the service or prepared query to route connect
- to.
- * `local_bind_port`
- - [required] The port to bind a local listener to for the application to
- make outbound connections to this upstream.
- * `local_bind_address`
- - The address to bind a local listener to for the application to make
- outbound connections to this upstream.
- * `destination_type`
- - Either `service` or `upstream`. The type of discovery query to use to
- find an instance to connect to. Defaults to `service`.
- * `destination_datacenter`
- - The datacenter to issue the discovery query too. Defaults to the local
- datacenter.
- * `connect_timeout_ms`
- - The number of milliseconds the proxy will wait to establish a connection
- to and complete TLS handshake with the _remote_ application or proxy.
- Defaults to `10000` or 10 seconds.
+* `upstreams` - An array of
+ upstream definitions for remote services that the proxied
+ application needs to make outgoing connections to. Each definition has the
+ following fields:
+ * `destination_name` -
+ [required] The name of the service or prepared query to route connect to.
+ * `local_bind_port` -
+ [required] The port to bind a local listener to for the application to
+ make outbound connections to this upstream.
+ * `local_bind_address` -
+ The address to bind a local listener to for the application to make
+ outbound connections to this upstream.
+ * `destination_type` -
+ Either `service` or `upstream`. The type of discovery query to use to find
+ an instance to connect to. Defaults to `service`.
+ * `destination_datacenter` -
+ The datacenter to issue the discovery query too. Defaults to the local datacenter.
+ * `connect_timeout_ms` -
+ The number of milliseconds the proxy will wait to establish a connection to
+ and complete TLS handshake with the _remote_ application or proxy. Defaults
+ to `10000` or 10 seconds.