Vault + nginx setup for SSL
1,974 views
Skip to first unread message
Jason Novotny
Apr 20, 2016, 3:28:57 PM4/20/16
to Vault
Hi,
I'm trying to host Vault behind nginx to support SSL. Basically I kept the vault configuration as-is:
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
and added an nginx entry:
server {
listen 172.24.16.163:8443 ssl;
server_name vault.vanare.net;
ssl_certificate /etc/my.crt;
ssl_certificate_key /etc/my.key;
location / {
proxy_pass http://127.0.0.1:8200;
proxy_set_header Host $host;
expires -1;
}
#ssl config per https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.ht
ml
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRS
A+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM
:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:
!SRP:!DSS:!RC4:!SEED";
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam.pem;
#only supported since 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on
the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-n
egotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell th
e client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that
shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 session
s, so we can hold 40000 sessions
ssl_session_timeout 10m;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
However, now when trying to read a secret I get:
Error reading secret/foo: Get https://172.24.16.163:8200/v1/secret/foo: http: server gave HTTP response to HTTPS client
Any help is greatly appreciated!
Thanks, Jason
I'm trying to host Vault behind nginx to support SSL. Basically I kept the vault configuration as-is:
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
and added an nginx entry:
server {
listen 172.24.16.163:8443 ssl;
server_name vault.vanare.net;
ssl_certificate /etc/my.crt;
ssl_certificate_key /etc/my.key;
location / {
proxy_pass http://127.0.0.1:8200;
proxy_set_header Host $host;
expires -1;
}
#ssl config per https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.ht
ml
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRS
A+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM
:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:
!SRP:!DSS:!RC4:!SEED";
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam.pem;
#only supported since 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on
the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-n
egotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell th
e client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that
shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 session
s, so we can hold 40000 sessions
ssl_session_timeout 10m;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
However, now when trying to read a secret I get:
Error reading secret/foo: Get https://172.24.16.163:8200/v1/secret/foo: http: server gave HTTP response to HTTPS client
Any help is greatly appreciated!
Thanks, Jason
David Adams
Apr 20, 2016, 4:10:12 PM4/20/16
to vault...@googlegroups.com
Jason,
Your vault is configured to run on port 8200, but nginx is on port 8443. Your error message indicates the query was going against port 8200.
-dave
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3ab66698-a38d-4c17-9bd1-1dc936333b1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages