Hello,
I am using vault behind nginx reverse proxy. Vault version is 1.4.2
My nginx.conf is as follows
location /vault/{
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_pass http://vault:8200/;
# proxy_set_header X-Forwarded-For $remote_addr;
}
I am trying to use app role for authentication with secret_id_bound_cidrs constraint. But when I send login request to vault, with the relevant role id, I cannot authenticate even after allowing my client ip in the cidrs. I am also setting below in the vault config, so that always my client ip is considerered.
“proxy_protocol_behavior”:“use_always”
But when I see audit logs, the remote_addr shows the address of the docker container where vault is installed. So the remote_addr in vault is not considering my real client ip that is calling the vault behind nginx
Please help.