PROXY Protocol Support

Problem

A common request among Vault users is to learn the true client IP address from audit logs when the client is connecting to Vault through a load balancer or proxy.

Example Configuration

While this configuration will work with any network device that is capable of using PROXY protocol v1, this example uses an Amazon Classic Elastic Load Balancer (Classic ELB).

This example configuration will instruct Vault to always show the client IP and configure the ELB egress IP as an allowed host in Vault as well.

NOTE: When using AWS load balancers, please be aware that you cannot use PROXY protocol with an Application Load Balancer (ALB). PROXY Protocol works on layer 4 (TCP) and the Application Load Balancer only works on layer 7.

Configure Classic ELB

Amazon has published documentation, Configure Proxy Protocol Support for Your Classic Load Balancer which you should carefully read and follow to configure your ELB for PROXY protocol.

It is critically important that you verify IP and port details, plus also check that the ELB is actually using the proxy policy you define.

Here is an example basic configuration session with the aws cli; our load balancer name is vault-elb and our PROXY policy name is vault-elb-test-ProxyProtocol-policy:

First we define PROXY protocol policy on the ELB instance:

$ aws --region=us-east-1 elb create-load-balancer-policy \
    --load-balancer-name vault-elb \
    --policy-name vault-elb-test-ProxyProtocol-policy \
    --policy-type-name ProxyProtocolPolicyType \
    --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true

Then, we enable the PROXY protocol policy:

$ aws --region=us-east-1 elb set-load-balancer-policies-for-backend-server \
    --load-balancer-name vault-elb \
    --instance-port 8200 \
    --policy-names vault-elb-test-ProxyProtocol-policy

Finally, verify that the ELB has the PROXY policy:

$ aws --region=us-east-1 elb describe-load-balancers \
    --load-balancer-name vault-elb
{
    "LoadBalancerDescriptions": [
        {
            ...
            "BackendServerDescriptions": [
                {
                    "InstancePort": 8200,
                    "PolicyNames": [
                        "vault-elb-test-ProxyProtocol-policy"
                    ]
                }
            ],
            ...
        }
    ]
}

You’ll need to update the above examples with your naming and region to use them.

Once the ELB is configured, you can move on to configuring the Vault listener.

Configure Vault Listener

Here’s an example Vault TCP listener snippet showing use of proxy_protocol* options:

listener "tcp" {
  address = "0.0.0.0:8200"
  proxy_protocol_authorized_addrs = "10.0.0.254:80"
  tls_disable = 1
}

The critical option of note in the example is:

• proxy_protocol_authorized_addrs: Here for example, we’re specifying a single ELB egress IP and port; this is the IP/port Vault expects to ingress traffic from the ELB. If the source IP address is in the proxy_protocol_authorized_addrs list, the client’s IP address will be used. If the source IP is not in the list, the source IP address will be used.

NOTE: you can specify a single IP or comma-delimited list of IP addresses as the value of proxy_protocol_authorized_addrs.

Consult the tcp Listener Parameters documentation for more details on configuring PROXY protocol support.

Once you’ve reconfigured Vault, you should restart it and observe the audit logs to confirm that true client IP addresses are being logged.

Resources

1. PROXY protocol specification
2. tcp Listener
3. proxy_protocol_behavior
4. proxy_protocol_authorized_addrs
5. Configure Proxy Protocol Support for Your Classic Load Balancer
6. AWS cli