working sample for vault + ui behind nginx setup?

1,577 views
Skip to first unread message

Torsten Reinhard

unread,
Jul 27, 2018, 8:29:00 AM7/27/18
to Vault
Hi,

for test purposes, I´m running vault (0.10.3) with enabled UI on an openstack instance.
This instance can´t be accessed directly ( due to IP adress limits) so we´ve setup a NGinx Proxy in front of it


The current nginx configuration looks like:

server {
        listen 80;
        server_name myhost.mycompany.net;


        ...


        location ^~ /ui/ {

                proxy_set_header   Host             $host:$server_port;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

                proxy_pass http://192.168.0.13:8200/ui/;
        }
        # Leave this location block as last block
        location / {
                 root /var/www/html;
        }
}


With that setup, I´m getting a 404 because of missing


Which locations are needed to be added to the nginx config, in order to get in properly working?
Later on, I´ll have to expose the vault URL itself somehow in order to be accessible by all clients.

Is there a working sample available on how to setup this correctly, reflecting all advices mentioned in https://www.hashicorp.com/resources/hashicorp-vault-administrative-guide ?

Please note that I´m new to vault - and nginx configuration at all :-)

Thanx for any advice,

Torsten

Matthew Irish

unread,
Jul 29, 2018, 11:59:48 PM7/29/18
to vault...@googlegroups.com
Hi Torsten!

The UI is just an alternative API client, so if you want to expose the UI, you'll have to expose the API endpoints as well. Essentially you'd add `v1/*` to your proxy pass config - the very big caveat here being that this exposes your Vault cluster as well (anyone could `export VAULT_ADDR=http://myhost.mycompany.net/` and then use the CLI to access Vault).

Hope this helps!
Matthew

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e57762f2-45f0-4c70-b712-bc26f8a317e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Torsten Reinhard

unread,
Jul 30, 2018, 3:53:57 AM7/30/18
to Vault
Hi,

thx, I´ll try that - I was just hesitating, because I didn´t know if /v1/* would be all - or if there would be more to be exposed.
Is there an option to "map" vault to lets say http:/myhost.mycompany.net/vault and the ui to  http:/myhost.mycompany.net/vault/ui ?
This would be necessary for me, because of the last proxypass rule in my current config.

(I know this is more NGinx related, but probably someone did already solve this for vault)

Additionally, what about https://www.vaultproject.io/docs/configuration/listener/tcp.html#proxy_protocol_behavior  - do I need something special for a properly configured NGinx setup ?

Best regards, Torsten
Reply all
Reply to author
Forward
0 new messages