├── LICENSE ├── README.md ├── named_locations ├── Dockerfile ├── nginx.conf └── run.sh ├── static └── header.jpg └── upstreams ├── Dockerfile ├── nginx.conf └── run.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![title](static/header.jpg) 2 | # NGINX As Reverse Proxy For Hashicorp Vault 3 | I created a [Blog Post](https://keyboardinterrupt.org/nginx-as-reverse-proxy-for-hashicorp-vault/) which explains how to set up an NGINX as a reverse proxy / load balancer for Hashicorp Vault. 4 | 5 | All examples can be found in this repository. 6 | 7 | ## NGINX - Named Locations 8 | You can run the `Named Locations` example with the following commands. 9 | ```shell 10 | # $: cd named_locations 11 | # $: chmod u+x run.sh 12 | # $: ./run.sh 13 | ``` 14 | 15 | When the container is started you are able to open the NGINX with the following routes: 16 | - [http://localhost/](http://localhost/) 17 | 18 | ## NGINX - Upstreams 19 | You can run the `Upstreams` example with the following commands. 20 | ```shell 21 | # $: cd upstreams 22 | # $: chmod u+x run.sh 23 | # $: ./run.sh 24 | ``` 25 | 26 | When the container is started you are able to open the NGINX with the following routes: 27 | - [http://localhost/](http://localhost/) 28 | - [http://localhost:81/](http://localhost:81/) 29 | - [http://localhost:82/](http://localhost:82/) -------------------------------------------------------------------------------- /named_locations/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx 2 | LABEL author="Marvyn Zalewski " 3 | 4 | COPY nginx.conf /etc/nginx/conf.d/default.conf 5 | EXPOSE 80 6 | -------------------------------------------------------------------------------- /named_locations/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | server { 3 | location / { 4 | ## This Location always responds with a HTTP 404 for demo purposes 5 | proxy_pass http://localhost/client_error; 6 | 7 | ## We need proxy_intercept_errors to enable handling error within NGINX when using proxy_pass to serve requests 8 | proxy_intercept_errors on; 9 | 10 | ## This option tells the NGINX to catch HTTP 404 error and answer them with the 'Named Location' handling_client_error 11 | error_page 404 = @handling_client_error; 12 | } 13 | 14 | location /client_error { 15 | ## This Location always responds with HTTP 404 16 | return 404; 17 | } 18 | 19 | location @handling_client_error { 20 | ## We set the Header Content-Type to text/plain because the default Content-Type is application/octet-stream which would result in a download 21 | add_header Content-Type text/plain; 22 | 23 | ## This simply returns HTTP 200 with text 24 | return 200 "Handled Client Error"; 25 | } 26 | } -------------------------------------------------------------------------------- /named_locations/run.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | docker build . -t nginx-named-locations:latest 3 | docker run -it -p 80:80 nginx-named-locations:latest -------------------------------------------------------------------------------- /static/header.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hExPY/nginx_proxy_for_vault/d29fe1aa53b6639a6a27f3a71ecc63f4c2f64be2/static/header.jpg -------------------------------------------------------------------------------- /upstreams/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx 2 | LABEL author="Marvyn Zalewski " 3 | 4 | COPY nginx.conf /etc/nginx/conf.d/default.conf 5 | EXPOSE 80 81 82 6 | -------------------------------------------------------------------------------- /upstreams/nginx.conf: -------------------------------------------------------------------------------- 1 | ## Upstream defines a usable backend which allows sending requests to several servers 2 | upstream backends { 3 | server localhost:81; 4 | server localhost:82; 5 | } 6 | 7 | server { 8 | ## This Server listen to port 80 9 | listen 80; 10 | location / { 11 | ## All requests to "http://localhost:80/" will send to the upstream named "backends" 12 | proxy_pass "http://backends/"; 13 | 14 | ## The option "proxy_next_upstream" can be defined with several arguments to tell the NGINX when it should send the request to the next upstream 15 | proxy_next_upstream http_500; 16 | } 17 | } 18 | 19 | server { 20 | ## This Server listen to port 81 21 | listen 81; 22 | location / { 23 | ## The location "http://localhost:81/" always return HTTP 500 24 | return 500; 25 | } 26 | } 27 | 28 | server { 29 | ## This Server listen to port 82 30 | listen 82; 31 | location / { 32 | ## We set the Header Content-Type to text/plain because the default Content-Type is application/octet-stream which would result in a download 33 | add_header Content-Type text/plain; 34 | 35 | ## This simply return HTTP 200 with text 36 | return 200 "Upstream 2 Responded"; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /upstreams/run.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | docker build . -t nginx-upstreams:latest 3 | docker run -it -p 80:80 -p 81:81 -p 82:82 nginx-upstreams:latest --------------------------------------------------------------------------------