Having trouble understanding how vault listeners handle traffic

Apologies if these questions are a bit of a mouthful. I’m trying to run a build on 1.4.2 using local file storage instead of consul and I’m unlikely to use SSL offloading so I’m hoping to enable TLS right on the server. I’ve seen lots of information on what to do in various setups, but I’m trying to wrap my head around why it works. I think the big point of confusion for me is whether these listeners are handling traffic as it comes into the system, at the same level as iptables/firewalld or are they handling traffic after they come to the system? Do I need to worry about traffic security that’s not leaving the machine?

In the setup guide, the TCP listener is set to Does that mean that traffic any unroutable traffic that hits the server is served back to Vault? I’ve also seen recommendations where if you are going to enable TLS, the TCP listener should be and your VAULT_ADDR environment variable should be Does that mean packets terminate at the system level and are then handled by the listener to pass them off to Vault? Or are the listeners handling traffic as it comes into the system?

What’s the difference between the listener listening for and If TLS is disabled on these listeners, does that make packets looping back to itself sniffable?

Since I plan on enabling TLS and not hiding behind a load balancer, should I be listening for the domain name instead of the loopback? Should I be using a listener for all three options?

Thanks, everyone

The traffic within the cluster is over port 8201 and is encrypted by self-managed certificates.

You want the listener on a real IP I think. You’ll also need that IP in the cert, or you’ll hit cannot validate certificate for because it doesn't contain any IP SANs

If TLS is enabled, I don’t believe there’s anyway you’re going to get any routed or nonroutable traffic that isn’t encrypted.

Sounds good, thank you. I’ve run into the cannot validate error already, which was confusing. I’ll post some successful configs once I get a version up and running.

Interested in what is confusing about the message… I think the full should say
x509: cannot validate certificate for because it doesn't contain any IP SANs
Is there a way to make that more helpful?

Please do share your config’s when you get it, always good for folks searching to have real world examples :slight_smile: