| layout | page_title | description |
|---|---|---|
docs |
TCP - Listeners - Configuration |
The TCP listener configures Vault to listen on the specified TCP address and
port. |
The TCP listener configures Vault to listen on a TCP address/port.
listener "tcp" {
address = "127.0.0.1:8200"
}The listener stanza may be specified more than once to make Vault listen on
multiple interfaces. If you configure multiple listeners you also need to
specify api_addr and cluster_addr so Vault will
advertise the correct address to other nodes.
Vault supports defining custom HTTP response headers for the root path (/) and also on API endpoints (/v1/*).
The headers are defined based on the returned status code. For example, a user can define a list of
custom response headers for the 200 status code, and another list of custom response headers for
the 307 status code. There is a "/sys/config/ui" API endpoint which allows users
to set UI specific custom headers. If a header is configured in a configuration file, it is not allowed
to be reconfigured through the "/sys/config/ui" API endpoint. In cases where a
custom header value needs to be modified or the custom header needs to be removed, the Vault's configuration file
needs to be modified accordingly, and a SIGHUP signal needs to be sent to the Vault process.
If a header is defined in the configuration file and the same header is used by the internal
processes of Vault, the configured header is not accepted. For example, a custom header which has
the X-Vault- prefix will not be accepted. A message will be logged in the Vault's logs
upon start up indicating the header with X-Vault- prefix is not accepted.
If the same header is configured in both the configuration file and
in the "/sys/config/ui" API endpoint, the header in the configuration file takes precedence.
For example, the "Content-Security-Policy" header is defined by default in the
"/sys/config/ui" API endpoint. If that header is also defined in the configuration file,
the value in the configuration file is set in the response headers instead of the
default value in the "/sys/config/ui" API endpoint.
-
address(string: "127.0.0.1:8200")– Specifies the address to bind to for listening. This can be dynamically defined with a go-sockaddr template that is resolved at runtime. -
cluster_address(string: "127.0.0.1:8201")– Specifies the address to bind to for cluster server-to-server requests. This defaults to one port higher than the value ofaddress. This does not usually need to be set, but can be useful in case Vault servers are isolated from each other in such a way that they need to hop through a TCP load balancer or some other scheme in order to talk. This can be dynamically defined with a go-sockaddr template that is resolved at runtime. -
http_idle_timeout(string: "5m")- Specifies the maximum amount of time to wait for the next request when keep-alives are enabled. Ifhttp_idle_timeoutis zero, the value ofhttp_read_timeoutis used. If both are zero, the value ofhttp_read_header_timeoutis used. This is specified using a label suffix like"30s"or"1h". -
http_read_header_timeout(string: "10s")- Specifies the amount of time allowed to read request headers. This is specified using a label suffix like"30s"or"1h". -
http_read_timeout(string: "30s")- Specifies the maximum duration for reading the entire request, including the body. This is specified using a label suffix like"30s"or"1h". -
http_write_timeoutstring: "0")- Specifies the maximum duration before timing out writes of the response and is reset whenever a new request's header is read. The default value of"0"means inifinity. This is specified using a label suffix like"30s"or"1h". -
max_request_size(int: 33554432)– Specifies a hard maximum allowed request size, in bytes. Defaults to 32 MB if not set or set to0. Specifying a number less than0turns off limiting altogether. -
max_request_duration(string: "90s")– Specifies the maximum request duration allowed before Vault cancels the request. This overridesdefault_max_request_durationfor this listener. -
proxy_protocol_behavior(string: "")– When specified, enables a PROXY protocol version 1 behavior for the listener. Accepted Values:- use_always - The client's IP address will always be used.
- allow_authorized - If the source IP address is in the
proxy_protocol_authorized_addrslist, the client's IP address will be used. If the source IP is not in the list, the source IP address will be used. - deny_unauthorized - The traffic will be rejected if the source IP
address is not in the
proxy_protocol_authorized_addrslist.
-
proxy_protocol_authorized_addrs(string: <required-if-enabled> or array: <required-if-enabled> )– Specifies the list of allowed source IP addresses to be used with the PROXY protocol. Not required ifproxy_protocol_behavioris set touse_always. Source IPs should be comma-delimited if provided as a string. At least one source IP must be provided,proxy_protocol_authorized_addrscannot be an empty array or string. -
tls_disable(string: "false")– Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. -
tls_cert_file(string: <required-if-enabled>, reloads-on-SIGHUP)– Specifies the path to the certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file. OnSIGHUP, the path set here at Vault startup will be used for reloading the certificate; modifying this value while Vault is running will have no effect forSIGHUPs. -
tls_key_file(string: <required-if-enabled>, reloads-on-SIGHUP)– Specifies the path to the private key for the certificate. It requires a PEM-encoded file. If the key file is encrypted, you will be prompted to enter the passphrase on server startup. The passphrase must stay the same between key files when reloading your configuration usingSIGHUP. OnSIGHUP, the path set here at Vault startup will be used for reloading the certificate; modifying this value while Vault is running will have no effect forSIGHUPs. -
tls_min_version(string: "tls12")– Specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".~> Warning: TLS 1.1 and lower are generally considered insecure.
-
tls_cipher_suites(string: "")– Specifies the list of supported ciphersuites as a comma-separated-list. The list of all available ciphersuites is available in the Golang TLS documentation. -
tls_prefer_server_cipher_suites(string: "false")– Specifies to prefer the server's ciphersuite over the client ciphersuites. -
tls_require_and_verify_client_cert(string: "false")– Turns on client authentication for this listener; the listener will require a presented client cert that successfully validates against system CAs. -
tls_client_ca_file(string: "")– PEM-encoded Certificate Authority file used for checking the authenticity of client. -
tls_disable_client_certs(string: "false")– Turns off client authentication for this listener. The default behavior (when this is false) is for Vault to request client certificates when available. -
x_forwarded_for_authorized_addrs(string: <required-to-enable>)– Specifies the list of source IP CIDRs for which an X-Forwarded-For header will be trusted. Comma-separated list or JSON array. This turns on X-Forwarded-For support. -
x_forwarded_for_hop_skips(string: "0")– The number of addresses that will be skipped from the rear of the set of hops. For instance, for a header value of1.2.3.4, 2.3.4.5, 3.4.5.6, if this value is set to"1", the address that will be used as the originating client IP is2.3.4.5. -
x_forwarded_for_reject_not_authorized(string: "true")– If set false, if there is an X-Forwarded-For header in a connection from an unauthorized address, the header will be ignored and the client connection used as-is, rather than the client connection rejected. -
x_forwarded_for_reject_not_present(string: "true")– If set false, if there is no X-Forwarded-For header or it is empty, the client address will be used as-is, rather than the client connection rejected.
unauthenticated_metrics_access(bool: false)- If set to true, allows unauthenticated access to the/v1/sys/metricsendpoint.
unauthenticated_pprof_access(bool: false)- If set to true, allows unauthenticated access to the/v1/sys/pprofendpoint.
-
default(key-value-map: {})- A map of string header names to an array of string values. The default headers are set on all endpoints regardless of the status code value. For an example, please refer to the "Configuring custom http response headers" section. -
<specific status code>(key-value-map: {})- A map of string header names to an array of string values. These headers are set only when the specific status code is returned. For example,"200" = {"Header-A": ["Value1", "Value2"]},"Header-A"is set when the http response status code is"200". -
<collective status code>(key-value-map: {})- A map of string header names to an array of string values. These headers are set only when the response status code falls under the collective status code. For example,"2xx" = {"Header-A": ["Value1", "Value2"]},"Header-A"is set when the http response status code is"200","204", etc.
This example shows enabling a TLS listener.
listener "tcp" {
tls_cert_file = "/etc/certs/vault.crt"
tls_key_file = "/etc/certs/vault.key"
}This example shows Vault listening on a private interface, as well as localhost.
listener "tcp" {
address = "127.0.0.1:8200"
}
listener "tcp" {
address = "10.0.0.5:8200"
}
# Advertise the non-loopback interface
api_addr = "https://10.0.0.5:8200"
cluster_addr = "https://10.0.0.5:8201"This example shows enabling unauthenticated metrics access.
listener "tcp" {
telemetry {
unauthenticated_metrics_access = true
}
}This example shows enabling unauthenticated profiling access.
listener "tcp" {
profiling {
unauthenticated_pprof_access = true
}
}This example shows configuring custom http response headers. Operators can configure
"custom_response_headers" sub-stanza in the listener stanza to set custom http
headers appropriate to their applications. Examples of such headers are "Strict-Transport-Security"
and "Content-Security-Policy" which are known HTTP headers, and could be configured to harden
the security of an application communicating with the Vault endpoints. Note that vulnerability
scans often examine such security related HTTP headers. In addition, application specific
custom headers can also be configured. For example, "X-Custom-Header" has been configured
in the example below.
listener "tcp" {
custom_response_headers {
"default" = {
"Strict-Transport-Security" = ["max-age=31536000","includeSubDomains"],
"Content-Security-Policy" = ["connect-src https://clusterA.vault.external/"],
"X-Custom-Header" = ["Custom Header Default Value"],
},
"2xx" = {
"Content-Security-Policy" = ["connect-src https://clusterB.vault.external/"],
"X-Custom-Header" = ["Custom Header Value 1", "Custom Header Value 2"],
},
"301" = {
"Strict-Transport-Security" = ["max-age=31536000"],
“Content-Security-Policy" = ["connect-src https://clusterC.vault.external/"],
},
}
}In situations where a header is defined under several status code subsections,
the header matching the most specific response code will be returned. For example,
with the config example below, a 307 response would return 307 Custom header value,
while a 306 would return 3xx Custom header value.
listener "tcp" {
custom_response_headers {
"default" = {
"X-Custom-Header" = ["default Custom header value"]
},
"3xx" = {
"X-Custom-Header" = ["3xx Custom header value"]
},
"307" = {
"X-Custom-Header" = ["307 Custom header value"]
}
}
}This example shows Vault listening on all IPv4 & IPv6 interfaces including localhost.
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
}This example shows Vault only using IPv6 and binding to the interface with the IP address: 2001:1c04:90d:1c00:a00:27ff:fefa:58ec
listener "tcp" {
address = "[2001:1c04:90d:1c00:a00:27ff:fefa:58ec]:8200"
cluster_address = "[2001:1c04:90d:1c00:a00:27ff:fefa:58ec]:8201"
}
# Advertise the non-loopback interface
api_addr = "https://[2001:1c04:90d:1c00:a00:27ff:fefa:58ec]:8200"
cluster_addr = "https://[2001:1c04:90d:1c00:a00:27ff:fefa:58ec]:8201"