scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 11:38:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Vault documentation: added new warning to listener stanza parameters (#14036)

Browse Source 
* added a new warning

* Update website/content/docs/configuration/listener/tcp.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* fixed word tense

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
This commit is contained in:
Loann Le
2022-02-14 08:54:43 -08:00
committed by GitHub
parent f0bff02ca6
commit e9ceffa90d
1 changed files with 19 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
website/content/docs/configuration/listener/tcp.mdx
View File

@@ -22,6 +22,7 @@ specify [`api_addr`][api-addr] and [`cluster_addr`][cluster-addr] so Vault will
advertise the correct address to other nodes.
## Listener's custom response headers
As of version 1.9, Vault supports defining custom HTTP response headers for the root path (`/`) and also on API endpoints (`/v1/*`).
The headers are defined based on the returned status code. For example, a user can define a list of
custom response headers for the `200` status code, and another list of custom response headers for
@@ -37,6 +38,7 @@ the `X-Vault-` prefix will not be accepted. A message will be logged in the Vaul
upon start up indicating the header with `X-Vault-` prefix is not accepted.
### Order of precedence
If the same header is configured in both the configuration file and
in the `"/sys/config/ui"` [API endpoint](/api/system/config-ui), the header in the configuration file takes precedence.
For example, the `"Content-Security-Policy"` header is defined by default in the
@@ -160,6 +162,8 @@ default value in the `"/sys/config/ui"` [API endpoint](/api/system/config-ui).
authentication for this listener. The default behavior (when this is false)
is for Vault to request client certificates when available.
~> **Warning**: The `tls_disable_client_certs` and `tls_require_and verify_client_cert` fields in the listener stanza of the Vault server configuration are mutually exclusive fields. Please ensure they are not both set to true. TLS client verification remains optional with default settings and is not enforced.
- `x_forwarded_for_authorized_addrs` `(string: <required-to-enable>)`
Specifies the list of source IP CIDRs for which an X-Forwarded-For header
will be trusted. Comma-separated list or JSON array. This turns on
@@ -265,7 +269,6 @@ listener "tcp" {
}
```
### Configuring custom http response headers
Note: Requires Vault version 1.9 or newer. This example shows configuring custom http response headers.