From b193dcaca3a22724f1f95fef95508d918cf5d10d Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Thu, 17 Aug 2023 14:55:45 -0400 Subject: [PATCH] backport of commit c3141977a672bf77707473c0e329b2e104a1f5b4 (#19733) Co-authored-by: Rowan Smith <86935689+rowansmithhc@users.noreply.github.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- website/content/docs/configuration/listener/tcp.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/website/content/docs/configuration/listener/tcp.mdx b/website/content/docs/configuration/listener/tcp.mdx index a6fee9861027..a47742376227 100644 --- a/website/content/docs/configuration/listener/tcp.mdx +++ b/website/content/docs/configuration/listener/tcp.mdx @@ -167,7 +167,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/api-docs/system/config-u - `x_forwarded_for_authorized_addrs` `(string: )` – Specifies the list of source IP CIDRs for which an X-Forwarded-For header will be trusted. Comma-separated list or JSON array. This turns on - X-Forwarded-For support. + X-Forwarded-For support. If for example Vault receives connections from the + load balancer's IP of `1.2.3.4`, adding `1.2.3.4` to `x_forwarded_for_authorized_addrs` + will result in the `remote_address` field in the audit log being populated with the + connecting client's IP, for example `3.4.5.6`. Note this requires the load balancer + to send the connecting client's IP in the `X-Forwarded-For` header. - `x_forwarded_for_hop_skips` `(string: "0")` – The number of addresses that will be skipped from the _rear_ of the set of hops. For instance, for a header value