Questions about installing Vault

uplime · July 24, 2022, 6:26pm

Hi! I have installed Vault on OpenBSD 7.1 using pkg_add vault. I’d like to have it bind to the standard HTTPS port 443 (so I can do https://vault.example.com), and I have the following config that does this:

log_level = "Info"
plugin_directory = "/var/vault/plugins/"
ui = "true"
disable_mlock = "true"

listener "tcp" {
  address = "1.2.3.4:443"
  tls_cert_file = "/etc/ssl/server/cert.pem"
  tls_key_file = "/etc/ssl/server/cert.key"
}

storage "file" {
  path = "/var/vault/storage/"
}

However that requires running Vault as root so that it has permission to bind to that port, which isn’t something that I’d like to do. Somebody here made a comment

The other daemons launch as root not to read certificates but to bind to privileged ports, which Vault doesn’t do

which I’m assuming means it isn’t normal to set the port of the listener in the config to 443. Is there a way this is normally achieved in a production environment, or is it more normal to just let it run over a non-standard port? This is for personal use, if it matters.

maxb · July 24, 2022, 7:53pm

My guess is that a lot of production deployments involve a load balancer to route traffic to the active node in a cluster (or all functional nodes, if using the Enterprise performance standby feature), and thus the remapping from 443 to 8200 is taken care of in a layer external to the Vault executable itself.

uplime · July 25, 2022, 2:06am

Thanks! That’s roughly the solution I ended up going with (just on the Firewall):

pass in on vio0 inet proto tcp from any to (vio0) port 443 rdr-to 127.0.0.1 port 8443