Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unrecognized settings in vault-conf.hcl are silently ignored #13887

Closed
candlerb opened this issue Feb 3, 2022 · 2 comments
Closed

Unrecognized settings in vault-conf.hcl are silently ignored #13887

candlerb opened this issue Feb 3, 2022 · 2 comments
Labels
core/config

Comments

@candlerb
Copy link
Contributor

candlerb commented Feb 3, 2022
edited

Describe the bug
Vault is silently ignoring bad configuration settings (inside tcp listener stanzas at least)

To Reproduce
Add this configuration to vault:

...
listener "tcp" {
  address = "[::]:18200"
  proxy_protocol_behavior = "use_always"
  proxy_protocol_authorized_address = "[::1]"
  proxy_protocol_behavior = "deny_unauthorized"
  tls_disable="true"
}
...

Note that there is an error in there. The correct setting is proxy_protocol_authorized_addrs

Expected behavior
Vault should either refuse to start, or should at least log a warning about an invalid setting.

Actual behavior
Vault runs as if the bad setting were not present, and I see no mention in the stdout/stderr output captured by systemd (journalctl -eu vault)

You can confirm the difference between the two cases by using telnet ::1 18200

  • When the correct proxy_protocol_authorized_addrs is used: the connection is accepted, and waits for more data
  • When the erroneous proxy_protocol_authorized_address is used: the connection is accepted but immediately dropped, since there is no matched authorized address.

Environment:

  • Vault Server Version (retrieve with vault status): 1.9.3
  • Vault CLI Version (retrieve with vault version): n/a
  • Server Operating System/Architecture: Ubuntu 20.04.3 x86_64

Vault server configuration file(s): see above

Additional context
n/a
@hghaf099 hghaf099 added bug Used to indicate a potential bug core/config and removed bug Used to indicate a potential bug labels Feb 3, 2022
@hghaf099
Copy link
Contributor

hghaf099 commented Feb 3, 2022

@candlerb Thanks for filing this issue. So, vault only looks for the exact match of what it expects in the config, and ignores the entires that are not listed as valid config options. In cases you would like to check whether your configuration is correct or not, we suggest to use [vault operator diagnose](https://www.vaultproject.io/docs/commands/operator/diagnose) -config <config file> command and pass in your configuration file. It will report the issues in the configuration file and many more insights. I will close this issue for now. Please feel free to open a new one for further discussions.

@hghaf099 hghaf099 closed this as completed Feb 3, 2022
@hghaf099
Copy link
Contributor

hghaf099 commented Apr 4, 2022

The issue is fixed in #14752

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@candlerb @hghaf099