Updated proxy protocol config validation (#4528)

command/server/listener.go

@@ -49,17 +49,20 @@ func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.List
 		return nil, fmt.Errorf("failed parsing proxy_protocol_behavior value: not a string")
 	}
 
+	proxyProtoConfig := &proxyutil.ProxyProtoConfig{
+		Behavior: behavior,
+	}
+
+	if proxyProtoConfig.Behavior == "allow_authorized" || proxyProtoConfig.Behavior == "deny_unauthorized" {
 		authorizedAddrsRaw, ok := config["proxy_protocol_authorized_addrs"]
 		if !ok {
 			return nil, fmt.Errorf("proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value")
 		}
 
-	proxyProtoConfig := &proxyutil.ProxyProtoConfig{
-		Behavior: behavior,
-	}
 		if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
 			return nil, errwrap.Wrapf("failed parsing proxy_protocol_authorized_addrs: {{err}}", err)
 		}
+	}
 
 	newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
 	if err != nil {

website/source/docs/configuration/listener/tcp.html.md

@@ -39,8 +39,11 @@ listener "tcp" {
   - *deny_unauthorized* - The traffic will be rejected if the source IP
   address is not in the `proxy_protocol_authorized_addrs` list.
 
-- `proxy_protocol_authorized_addrs` `(string: <required-if-enabled>)` – Specifies
-  the list of allowed source IP addresses to be used with the PROXY protocol.
+- `proxy_protocol_authorized_addrs` `(string: <required-if-enabled> or array: <required-if-enabled> )` – 
+  Specifies the list of allowed source IP addresses to be used with the PROXY protocol.
+  Not required if `proxy_protocol_behavior` is set to `use_always`. Source IPs should 
+  be comma-delimited if provided as a string. At least one source IP must be provided, 
+  `proxy_protocol_authorized_addrs` cannot be an empty array or string.
 
 - `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Vault
   assumes TLS by default, so you must explicitly disable TLS to opt-in to