I am trying to use vault behind nginx proxy, using App role auth method within vault. I need to apply secret_id_bound_cidrs as one of the restrictions for the role so only specific hosts can login and access Vault APIs. I have tried everything, and the closest I got was to use proxy protocol options in vault. However, when I send a request to vault from a host, the remote_add in vault is set to the server hosting vault and not the actual client IP, so the validation fails. My nginx.conf is as follows :
location /vault/ { proxy_set_header X-Real-Ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header REMOTE_ADDR $remote_addr; proxy_pass } My vault config is as follows: Please note, I am using consul and vault as docker services which allows me to refer to consul as just the name of the service here. Hence consul:8500
{ "backend": { "consul": { "address": "consul:8500", "path": "vault/" } }, "listener": { "tcp":{ "address": "0.0.0.0:8200", "tls_disable": 1 } }, "proxy_protocol_behavior":"use_always", "ui": true } My role is configured as follows where x.x.x.x is the IP I need to allow access to:
bind_secret_id false local_secret_ids false policies [test-policy] secret_id_bound_cidrs [ x.x.x.x/32] secret_id_num_uses 0 secret_id_ttl 0s token_bound_cidrs [] token_explicit_max_ttl 0s token_max_ttl 30m token_no_default_policy false token_num_uses 0 token_period 0s token_policies [test-policy] token_ttl 20m token_type default Can someone please help with any pointers on what I am missing here?
1 Answer
The proxy_protocol_behaviour field belongs in the listener/tcp block, but you have it out on its own.
Aside from that, I'm not 100% certain that NGINX will use the right PROXY protocol with the way you have set it up - see these sites for more comments: