How to block consul UI on all machine except the host machine

Hello All,

We’re currently running Consul Server (version 1.16) on our hosting server. Occasionally, we need to update key-value pairs using the UI, which requires us to log in to the hosting server and make the necessary changes. However, if someone from our organization clicks on the URL from their machine, they can access the Consul UI without any authentication.

To address this security concern, I’m looking for a solution that allows us to restrict access to the Consul UI either by implementing authentication credentials or by limiting access only to the hosting server. I’ve attempted to use ACL, but it ended up blocking all application requests.

I’d appreciate any suggestions or guidance on how to implement this effectively.

Thank you.

Hi Dinesh,

Welcome to HashiCorp Forums!

If you want to limit the HTTP API/UI to the hosting server itself, you can use either of the following methods:

  1. set the client_addr in your agent configuration file to, so that the HTTP, DNS, and the xDS gRPC ports listen only on the loopback IP of the server, thereby not letting access from outside the host.
  2. Leave the client_addr = "" and use the addresses.http[s] option to limit only the UI/API to the loopback.
# example:
addresses {
  http = ""
  https = ""

Having said that, it is highly recommended that you protect Consul using ACLs for better security.


1 Like

If you don’t want to use ACL’s then you need to set it up with client_addr = "" and you set the http field in addresses to - then you grab your favorite webserver (nginx, for instance) and set it up so that it will proxy incoming requests to Consul’s http port. You can then configure the webserver to require basic authentication.