Fix some formatting and a typo.

This commit is contained in:
Paul Banks 2018-06-23 00:38:28 +01:00 committed by Jack Pearkes
parent f0059665bb
commit 6117bdb9d5
1 changed files with 41 additions and 46 deletions

View File

@ -32,11 +32,6 @@ You may also configure Consul to use an external
[certificate management system](/docs/connect/ca.html), such as [certificate management system](/docs/connect/ca.html), such as
[Vault](https://vaultproject.io). [Vault](https://vaultproject.io).
-> **Security note:** Enabling Connect is enough to try the feature but doesn't
automatically ensure complete security. Please read the [Connect production
guide](/docs/guides/connect-production.html) to understand the additional steps
needed for a secure deployment.
No agent-wide configuration is necessary for non-server agents. Services No agent-wide configuration is necessary for non-server agents. Services
and proxies may always register with Connect settings, but they will fail to and proxies may always register with Connect settings, but they will fail to
retrieve or verify any TLS certificates. This causes all Connect-based retrieve or verify any TLS certificates. This causes all Connect-based
@ -45,9 +40,14 @@ connection attempts to fail until Connect is enabled on the server agents.
-> **Note:** Connect is enabled by default when running Consul in -> **Note:** Connect is enabled by default when running Consul in
dev mode with `consul agent -dev`. dev mode with `consul agent -dev`.
~> **Security note:** Enabling Connect is enough to try the feature but doesn't
automatically ensure complete security. Please read the [Connect production
guide](/docs/guides/connect-production.html) to understand the additional steps
needed for a secure deployment.
## Built-In Proxy Options ## Built-In Proxy Options
This is complete example of all the configuration options available for the This is a complete example of all the configuration options available for the
built-in proxy. Note that only the `service.connect.proxy.config` map is being built-in proxy. Note that only the `service.connect.proxy.config` map is being
described here, the rest of the service definition is shown for context and is described here, the rest of the service definition is shown for context and is
[described elsewhere](/docs/connect/proxies.html#managed-proxies). [described elsewhere](/docs/connect/proxies.html#managed-proxies).
@ -94,47 +94,42 @@ described here, the rest of the service definition is shown for context and is
range](/docs/agent/options.html#proxy_min_port) if available. By default the range](/docs/agent/options.html#proxy_min_port) if available. By default the
range is [20000, 20255] and the port is selected at random from that range. range is [20000, 20255] and the port is selected at random from that range.
* <a name="local_service_address"></a><a href="#local_service_address">`local_service_address`</a> * <a name="local_service_address"></a><a href="#local_service_address">`local_service_address`</a> - The
- The `[address]:port` that the proxy should use to connect to the `[address]:port` that the proxy should use to connect to the local application
local application instance. By default it assumes `127.0.0.1` as the address instance. By default it assumes `127.0.0.1` as the address and takes the port
and takes the port from the service definition's `port` field. Note that from the service definition's `port` field. Note that allowing the application
allowing the application to listen on any non-loopback address may expose it to listen on any non-loopback address may expose it externally and bypass
externally and bypass Connect's access enforcement. It may be useful though Connect's access enforcement. It may be useful though to allow non-standard
to allow non-standard loopback addresses or where an alternative loopback addresses or where an alternative known-private IP is available for
known-private IP is available for example when using internal networking example when using internal networking between containers.
between containers.
* <a name="local_connect_timeout_ms"></a><a href="#local_connect_timeout_ms">`local_connect_timeout_ms`</a> * <a name="local_connect_timeout_ms"></a><a href="#local_connect_timeout_ms">`local_connect_timeout_ms`</a> - The number
- The number of milliseconds the proxy will wait to establish a of milliseconds the proxy will wait to establish a connection to the _local
connection to the _local application_ before giving up. Defaults to `1000` application_ before giving up. Defaults to `1000` or 1 second.
or 1 second.
* <a name="handshake_timeout_ms"></a><a href="#handshake_timeout_ms">`handshake_timeout_ms`</a> * <a name="handshake_timeout_ms"></a><a href="#handshake_timeout_ms">`handshake_timeout_ms`</a> - The
- The number of milliseconds the proxy will wait for _incoming_ mTLS number of milliseconds the proxy will wait for _incoming_ mTLS connections to
connections to complete the TLS handshake. Defaults to `10000` or 10 complete the TLS handshake. Defaults to `10000` or 10 seconds.
seconds.
* <a name="upstreams"></a><a href="#upstreams">`upstreams`</a> * <a name="upstreams"></a><a href="#upstreams">`upstreams`</a> - An array of
- An array of upstream definitions for remote services that the proxied upstream definitions for remote services that the proxied
application needs to make outgoing connections to. Each definition has the application needs to make outgoing connections to. Each definition has the
following fields: following fields:
* <a name="destination_name"></a><a href="#destination_name">`destination_name`</a> * <a name="destination_name"></a><a href="#destination_name">`destination_name`</a> -
- [required] The name of the service or prepared query to route connect [required] The name of the service or prepared query to route connect to.
to. * <a name="local_bind_port"></a><a href="#local_bind_port">`local_bind_port`</a> -
* <a name="local_bind_port"></a><a href="#local_bind_port">`local_bind_port`</a> [required] The port to bind a local listener to for the application to
- [required] The port to bind a local listener to for the application to make outbound connections to this upstream.
make outbound connections to this upstream. * <a name="local_bind_address"></a><a href="#local_bind_address">`local_bind_address`</a> -
* <a name="local_bind_address"></a><a href="#local_bind_address">`local_bind_address`</a> The address to bind a local listener to for the application to make
- The address to bind a local listener to for the application to make outbound connections to this upstream.
outbound connections to this upstream. * <a name="destination_type"></a><a href="#destination_type">`destination_type`</a> -
* <a name="destination_type"></a><a href="#destination_type">`destination_type`</a> Either `service` or `upstream`. The type of discovery query to use to find
- Either `service` or `upstream`. The type of discovery query to use to an instance to connect to. Defaults to `service`.
find an instance to connect to. Defaults to `service`. * <a name="destination_datacenter"></a><a href="#destination_datacenter">`destination_datacenter`</a> -
* <a name="destination_datacenter"></a><a href="#destination_datacenter">`destination_datacenter`</a> The datacenter to issue the discovery query too. Defaults to the local datacenter.
- The datacenter to issue the discovery query too. Defaults to the local * <a name="connect_timeout_ms"></a><a href="#connect_timeout_ms">`connect_timeout_ms`</a> -
datacenter. The number of milliseconds the proxy will wait to establish a connection to
* <a name="connect_timeout_ms"></a><a href="#connect_timeout_ms">`connect_timeout_ms`</a> and complete TLS handshake with the _remote_ application or proxy. Defaults
- The number of milliseconds the proxy will wait to establish a connection to `10000` or 10 seconds.
to and complete TLS handshake with the _remote_ application or proxy.
Defaults to `10000` or 10 seconds.