Nginx Reverse Proxy for HashiCorp Vault in Centos 8

A reverse proxy is a type of proxy server that relays client requests from the external network to one or more servers that are logically located on the internal network. At the same time, for the client, it looks as if the requested resources are located directly on the proxy server.

In the previous article, we looked at installing HashiCorp Vault on Centos 8 and setting up our own Vault PKI CA

After we have issued an ssl certificate for the vault.example.com domain in our own certification authority, we will reconfigure Vault to use ssl

Installing Nginx

Install the dnf-utils utility

$ sudo dnf -y install dnf-utils

Add nginx repository

$ sudo nano /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Installing Nginx

$ sudo dnf -y install nginx

Launch the service, add it to startup and check the status

$ sudo systemctl enable --now nginx
$ systemctl status nginx

Configuring Firewall

Opening ports 80/443

$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
$ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
$ sudo firewall-cmd --reload

Configuring Nginx

Disable the default config

$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled

Create a new nginx config for Vault

$ sudo nano /etc/nginx/conf.d/vault.example.com.conf
server {
  listen 80 default_server;
  server_name _;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl default_server;
  server_name _;

  ssl on;
  ssl_certificate /etc/nginx/conf.d/vault.example.com.crt.pem;
  ssl_certificate_key /etc/nginx/conf.d/vault.example.com.crt.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_prefer_server_ciphers on;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  location / {
    proxy_pass http://127.0.0.1:8200;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
  }
}

We copy the certificates that we created earlier

$ sudo cp ~/vault.example.com.crt.* /etc/nginx/conf.d/

Feature.When creating the PKI, we specified the URL of the root and intermediate CA without https and with a port (http://vault.example.com:8200). Through the web interface (or through the terminal), you need to change the URL for the root certification authority (https://vault.example.com), delete the intermediate certification authority and recreate it with the correct URL (from the moment where we create the CSR file to the end ).

Thus, the root certification authority (which we distribute) remains the same, and the intermediate and server certificate are new.

Or, at the stage of creating your own certification authority, you can take this moment into account, which will be more correct.

Restarting Nginx

$ sudo systemctl restart nginx

Vault setup

Editing the Vault config

$ sudo nano /etc/vault.d/vault.hcl
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
    address          = "127.0.0.1:8200"
    tls_disable      = 1
}
# listener "tcp" {
#     tls_disable = 0
#     address     = "0.0.0.0:8200"
#     tls_cert_file = "/etc/vault.d/vault.example.com.crt.pem"
#     tls_key_file = "/etc/vault.d/vault.example.com.crt.key"
# }
# storage "file" {
#     path  = "/var/lib/vault/data"
# }
storage "postgresql" {
    connection_url = "postgres://vltusr:[email protected]:5432/vaultdb?sslmode=disable"
    table          = "vault_kv_store"
    max_parallel   = "128"
}
api_addr         = "http://127.0.0.1:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true

Restarting Vault

$ sudo systemctl restart vault

Exporting a variable

$ export VAULT_ADDR=http://127.0.0.1:8200

Bashrc file

$ nano ~/.bashrc
[…]
export VAULT_ADDR=http://127.0.0.1:8200

You can also remove the line with our host and ip-address from the / etc / hosts file

We check the status, unpack the storage, log in

$ vault status
$ vault operator unseal
$ vault login

Firewall customization

Close port 8200

$ sudo firewall-cmd --zone=public --remove-port=8200/tcp --permanent
$ sudo firewall-cmd --reload
Sidebar