Hello All,
We’re currently running Consul Server (version 1.16) on our hosting server. Occasionally, we need to update key-value pairs using the UI, which requires us to log in to the hosting server and make the necessary changes. However, if someone from our organization clicks on the URL from their machine, they can access the Consul UI without any authentication.
To address this security concern, I’m looking for a solution that allows us to restrict access to the Consul UI either by implementing authentication credentials or by limiting access only to the hosting server. I’ve attempted to use ACL, but it ended up blocking all application requests.
I’d appreciate any suggestions or guidance on how to implement this effectively.
Thank you.
Hi Dinesh,
Welcome to HashiCorp Forums!
If you want to limit the HTTP API/UI to the hosting server itself, you can use either of the following methods:
- set the
client_addr in your agent configuration file to 127.0.0.1, so that the HTTP, DNS, and the xDS gRPC ports listen only on the loopback IP of the server, thereby not letting access from outside the host.
- Leave the
client_addr = "0.0.0.0" and use the addresses.http[s] option to limit only the UI/API to the loopback.
# example:
addresses {
http = "127.0.0.1"
https = "127.0.0.1"
}
Having said that, it is highly recommended that you protect Consul using ACLs for better security.
ref:
1 Like
If you don’t want to use ACL’s then you need to set it up with client_addr = "0.0.0.0" and you set the http field in addresses to 127.0.0.1 - then you grab your favorite webserver (nginx, for instance) and set it up so that it will proxy incoming requests to Consul’s http port. You can then configure the webserver to require basic authentication.
2 Likes