Apologies if these questions are a bit of a mouthful. I’m trying to run a build on 1.4.2 using local file storage instead of consul and I’m unlikely to use SSL offloading so I’m hoping to enable TLS right on the server. I’ve seen lots of information on what to do in various setups, but I’m trying to wrap my head around why it works. I think the big point of confusion for me is whether these listeners are handling traffic as it comes into the system, at the same level as iptables/firewalld or are they handling traffic after they come to the system? Do I need to worry about traffic security that’s not leaving the machine?
In the setup guide, the TCP listener is set to 0.0.0.0:8200. Does that mean that traffic any unroutable traffic that hits the server is served back to Vault? I’ve also seen recommendations where if you are going to enable TLS, the TCP listener should be 127.0.0.1:8200 and your VAULT_ADDR environment variable should be 127.0.0.1:8200. Does that mean packets terminate at the system level and are then handled by the listener to pass them off to Vault? Or are the listeners handling traffic as it comes into the system?
What’s the difference between the listener listening for 127.0.0.1 and 0.0.0.0? If TLS is disabled on these listeners, does that make packets looping back to itself sniffable?
Since I plan on enabling TLS and not hiding behind a load balancer, should I be listening for the domain name instead of the loopback? Should I be using a listener for all three options?