Vault UI access from a bastion host

Hi all.
As my other topic from last week I have 3 Vault servers and 3 Consul servers in AWS… in a private network only reachable through a Bastion host. (as per Vault best practice)

I am not able to configure a nginx/haproxy on the bastion host to connect to the GUI remotely

on the nginx log on the bastion host I got

2020/10/08 10:55:06 [error] 22300#0: *466 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client:, server: vault_server, request: “GET /ui HTTP/1.1”, upstream: “”, host: “”

On one of the vault server I have

Oct 8 11:57:47 ip-172-31-31-166 vault: 2020-10-08T11:57:47.195Z [INFO ] http: TLS handshake error from tls: first record does not look like a TLS handshake

Not sure if it’s possible to access the GUI or not with this conf.

could be a TLS issues or the nginx conf that is not doing its job?

Any help would be appreciated.

easier ways using ssh forwarding

ssh -At user@jumphost -L 8200:user@vault-internal-ip:8200 

or using ssh -J flag

ssh -J user@jumphost user@vault-internal-ip  -L  8200:

second is the correct way to use ssh to jump into a machine. but the first is better since you do not need to ssh into the vault machine in the first place… (ssh forwarding must be enabled on your bastion…)

once you have connected… just open your brower and point it to http(s):// . if it is going to be ssl… I would sugguest adding vaulthostname to your hosts file and use the vault host name inthe broweser… this will stop warnings about invaild SSL .

1 Like

Hi there. Thanks for that and I forgot to mention that I ve already done the ssh tunneling and it works perfectly but what I was looking for is a reverse proxy to give access to other people to try the vault gui.
I ddin’t want to ask people to do the tunneling theirself and actually most of them dunno how to do it.

Thanks anyway
Appreciate it

Thanks for the helpful post, I’m starting to look at how to do this. Would this also be the same steps to use if I wanted to use vault cli in a terminal? Or would I achieve that differently?

From the nginx log it lists the upstream as however the Vault logs are talking about TLS errors. That suggests you have TLS enabled within Vault, so should be using for the upstream in nginx.

In my use case this worked for me:

ssh -J centos@i-78fd5d05ebd074178.node.consul -L 8200:vault.service.consul:8200

The internal host (i-78fd5d05ebd074178.node.consul) is a vault client, so I’m not connecting directly to a vault server.

I am using ssh certificates issued for the public aws hostname and private consul dns name. Consul is also used on the vault client to resolve vault.service.consul.

Thanks for this thread, I’m really glad I managed to get the Vault UI working through a private connection with SSH certificates thanks to all your comments here!

since the cli connects to the same endpoint as the web ui does… just ssh forwarding will do

if it is not the default of then set it with

export VAULT_ADDR=https://vault_endpoint:8200/

Thanks @freibus! I’m finding that I need to get the vault public cert to my remote client, which, is fair enough, but can I make this part easier I wonder…

Since we can establish the authenticity of a bastion host (ssh certificates), and the bastion can establish the authenticity of the vault server it is connecting to (the ssl ca public cert it has to connect to vault), is there a way my remote host can somehow streamline adding the vault ssl cert to use the cli with less hassle? Not sure if its possible, but the less I have to manage outside to a new client the better.

Hi if you are using nginx as a reverse proxy you need to add a annotation to the config file to redirect http to https

if you you are using vault inside a kubernetes cluster you need to add this annotation to your ingress "HTTPS"

I’m not using kubernetes, but thanks for sharing.