Open bmendric opened 1 year ago
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!
@hsimon-hashicorp I can confirm that this is still an issue with 1.15.5. I attempted to replicate it on 1.16.1, but ran into https://github.com/hashicorp/vault/issues/26439
@hsimon-hashicorp I can confirm that this is still an issue with 1.15.5. I attempted to replicate it on 1.16.1, but ran into #26439
Thank you so much for the response! I'll keep this on our project board. I'll also check out your new issue. :)
@hsimon-hashicorp looks like this was addressed as part of HCSEC-2024-14 / CVE-2024-6468
Anything that should happen w.r.t. linking this to those PRs/Issues?
Describe the bug A TCP listener configured with
proxy_protocol_behavior = "deny_unauthorize"
silently closes after receiving a request originating from an IP not listed within theproxy_protocol_authorized_addrs
list.To Reproduce Steps to reproduce the behavior:
vault server -config=config.hcl
curl http://127.0.0.1:8200/v1/sys/health
/ss -tlpn | grep 8200
proxy_protocol_authorized_addrs
list. In my case,curl http://192.168.1.20:8200/v1/sys/health
ss -tlpn | grep 8200
Expected behavior Either:
Environment:
vault status
):Vault v1.11.3 (17250b25303c6418c283c95b1d5a9c9f16174fe8), built 2022-08-26T10:27:10Z
vault version
):Vault v1.11.3 (17250b25303c6418c283c95b1d5a9c9f16174fe8), built 2022-08-26T10:27:10Z
Of note, the above environment is my home lab and reflects the simple configuration testing done/described in this issue. The problem was originally discovered in a production testing environment using a three node cluster of Ubuntu 18.04 nodes running Vault 1.11.1 from within Docker containers.
Vault server configuration file(s):
Additional context This took me quite a long time to wrap my head around due to our configuration in the production testing environment, so there are a couple interesting bits I picked up along the way.
proxy_protocol_behavior
set touse_always
norallow_authorized
Passing
--haproxy-protocol
to curl resulted in the following:Finally, here is a screenshot of my local testing alongside the runtime logs --