Vault UI access from a bastion host

Hi all.
As my other topic from last week I have 3 Vault servers and 3 Consul servers in AWS… in a private network only reachable through a Bastion host. (as per Vault best practice)

I am not able to configure a nginx/haproxy on the bastion host to connect to the GUI remotely

on the nginx log on the bastion host I got

2020/10/08 10:55:06 [error] 22300#0: *466 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: vault_server, request: “GET /ui HTTP/1.1”, upstream: “http://10.139.11.98:8200/ui”, host: “xxx.xxx.xxx.xxx”

On one of the vault server I have

Oct 8 11:57:47 ip-172-31-31-166 vault: 2020-10-08T11:57:47.195Z [INFO ] http: TLS handshake error from 10.139.1.110:42416: tls: first record does not look like a TLS handshake

Not sure if it’s possible to access the GUI or not with this conf.

could be a TLS issues or the nginx conf that is not doing its job?

Any help would be appreciated.
Thanks

easier ways using ssh forwarding

ssh -At user@jumphost -L 8200:user@vault-internal-ip:8200 

or using ssh -J flag

ssh -J user@jumphost user@vault-internal-ip  -L  8200:127.0.0.1:8200

second is the correct way to use ssh to jump into a machine. but the first is better since you do not need to ssh into the vault machine in the first place… (ssh forwarding must be enabled on your bastion…)

once you have connected… just open your brower and point it to http(s)://127.0.0.1:8200 . if it is going to be ssl… I would sugguest adding vaulthostname 127.0.0.1 to your hosts file and use the vault host name inthe broweser… this will stop warnings about invaild SSL .

1 Like

Hi there. Thanks for that and I forgot to mention that I ve already done the ssh tunneling and it works perfectly but what I was looking for is a reverse proxy to give access to other people to try the vault gui.
I ddin’t want to ask people to do the tunneling theirself and actually most of them dunno how to do it.

Thanks anyway
Appreciate it