As my other topic from last week I have 3 Vault servers and 3 Consul servers in AWS… in a private network only reachable through a Bastion host. (as per Vault best practice)
I am not able to configure a nginx/haproxy on the bastion host to connect to the GUI remotely
on the nginx log on the bastion host I got
2020/10/08 10:55:06 [error] 22300#0: *466 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: vault_server, request: “GET /ui HTTP/1.1”, upstream: “http://10.139.11.98:8200/ui”, host: “xxx.xxx.xxx.xxx”
On one of the vault server I have
Oct 8 11:57:47 ip-172-31-31-166 vault: 2020-10-08T11:57:47.195Z [INFO ] http: TLS handshake error from 10.139.1.110:42416: tls: first record does not look like a TLS handshake
Not sure if it’s possible to access the GUI or not with this conf.
could be a TLS issues or the nginx conf that is not doing its job?
Any help would be appreciated.
easier ways using ssh forwarding
ssh -At user@jumphost -L 8200:user@vault-internal-ip:8200
or using ssh -J flag
ssh -J user@jumphost user@vault-internal-ip -L 8200:127.0.0.1:8200
second is the correct way to use ssh to jump into a machine. but the first is better since you do not need to ssh into the vault machine in the first place… (ssh forwarding must be enabled on your bastion…)
once you have connected… just open your brower and point it to
http(s)://127.0.0.1:8200 . if it is going to be ssl… I would sugguest adding
vaulthostname 127.0.0.1 to your hosts file and use the vault host name inthe broweser… this will stop warnings about invaild SSL .
Hi there. Thanks for that and I forgot to mention that I ve already done the ssh tunneling and it works perfectly but what I was looking for is a reverse proxy to give access to other people to try the vault gui.
I ddin’t want to ask people to do the tunneling theirself and actually most of them dunno how to do it.
Thanks for the helpful post, I’m starting to look at how to do this. Would this also be the same steps to use if I wanted to use vault cli in a terminal? Or would I achieve that differently?
From the nginx log it lists the upstream as http://10.139.11.98 however the Vault logs are talking about TLS errors. That suggests you have TLS enabled within Vault, so should be using https://10.139.11.98 for the upstream in nginx.
In my use case this worked for me:
ssh -J firstname.lastname@example.org email@example.com -L 8200:vault.service.consul:8200
The internal host (i-78fd5d05ebd074178.node.consul) is a vault client, so I’m not connecting directly to a vault server.
I am using ssh certificates issued for the public aws hostname and private consul dns name. Consul is also used on the vault client to resolve vault.service.consul.
Thanks for this thread, I’m really glad I managed to get the Vault UI working through a private connection with SSH certificates thanks to all your comments here!
since the cli connects to the same endpoint as the web ui does… just ssh forwarding will do
if it is not the default of https://127.0.0.1:8200 then set it with
Thanks @freibus! I’m finding that I need to get the vault public cert to my remote client, which, is fair enough, but can I make this part easier I wonder…
Since we can establish the authenticity of a bastion host (ssh certificates), and the bastion can establish the authenticity of the vault server it is connecting to (the ssl ca public cert it has to connect to vault), is there a way my remote host can somehow streamline adding the vault ssl cert to use the cli with less hassle? Not sure if its possible, but the less I have to manage outside to a new client the better.
Hi if you are using nginx as a reverse proxy you need to add a annotation to the config file to redirect http to https
if you you are using vault inside a kubernetes cluster you need to add this annotation to your ingress
I’m not using kubernetes, but thanks for sharing.