tcp Listener

The TCP listener configures Boundary to listen on a TCP address/port.

listener "tcp" {
  purpose = "api"
  address = "127.0.0.1:9200"
}

The listener stanza may be specified more than once to make Boundary listen on multiple interfaces; however, only one listener marked for cluster purpose is allowed.

tcp Listener Parameters

• purpose (string: "") - Specifies the purpose. Can be api, cluster, or proxy.

• address (string: "127.0.0.1:9200") – Specifies the address to bind to for listening.

• http_idle_timeout (string: "5m") - Specifies the maximum amount of time to wait for the next request when keep-alives are enabled. If http_idle_timeout is zero, the value of http_read_timeout is used. If both are zero, the value of http_read_header_timeout is used. This is specified using a label suffix like "30s" or "1h".

• http_read_header_timeout (string: "10s") - Specifies the amount of time allowed to read request headers. This is specified using a label suffix like "30s" or "1h".

• http_read_timeout (string: "30s") - Specifies the maximum duration for reading the entire request, including the body. This is specified using a label suffix like "30s" or "1h".

• http_write_timeout string: "0") - Specifies the maximum duration before timing out writes of the response and is reset whenever a new request’s header is read. The default value of "0" means inifinity. This is specified using a label suffix like "30s" or "1h".

• max_request_duration (string: "90s") – Specifies the maximum request duration allowed before Boundary cancels the request. This overrides default_max_request_duration for this listener.

• tls_disable (string: "false") – Specifies if TLS will be disabled. Boundary assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication.

• tls_cert_file (string: <required-if-enabled>, reloads-on-SIGHUP) – Specifies the path to the certificate for TLS. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file. On SIGHUP, the path set here at Boundary startup will be used for reloading the certificate; modifying this value while Boundary is running will have no effect for SIGHUPs.

• tls_key_file (string: <required-if-enabled>, reloads-on-SIGHUP) – Specifies the path to the private key for the certificate. If the key file is encrypted, you will be prompted to enter the passphrase on server startup. The passphrase must stay the same between key files when reloading your configuration using SIGHUP. On SIGHUP, the path set here at Boundary startup will be used for reloading the certificate; modifying this value while Boundary is running will have no effect for SIGHUPs.

• tls_min_version (string: "tls12") – Specifies the minimum supported version of TLS. Accepted values are “tls10”, “tls11”, “tls12” or “tls13”.

  Warning: TLS 1.1 and lower are generally considered insecure.

• tls_cipher_suites (string: "") – Specifies the list of supported ciphersuites as a comma-separated-list. The list of all available ciphersuites is available in the Golang TLS documentation.

• tls_prefer_server_cipher_suites (string: "false") – Specifies to prefer the server’s ciphersuite over the client ciphersuites.

• tls_require_and_verify_client_cert (string: "false") – Turns on client authentication for this listener; the listener will require a presented client cert that successfully validates against system CAs.

• tls_client_ca_file (string: "") – PEM-encoded Certificate Authority file used for checking the authenticity of client.

tcp Listener Examples

Configuring TLS

This example shows enabling a TLS listener.

listener "tcp" {
  purpose = "api"
  tls_cert_file = "/etc/certs/Boundary.crt"
  tls_key_file  = "/etc/certs/Boundary.key"
}

Listening on Multiple Interfaces

This example shows Boundary listening on a private interface, as well as localhost.

listener "tcp" {
  purpose = "api"
  address = "127.0.0.1:9200"
}
listener "tcp" {
  purpose = "cluster"
  address = "10.0.0.5:9200"
}