Integration with Traefik

To integrate the Signchain Self-hosted Vault with Traefik, a popular reverse proxy and load balancer, you can use Traefik to securely route traffic to your Vault instance. This guide covers configuring Traefik to handle SSL termination and route requests to the vault.

Prerequisites

  • A running instance of Traefik configured to handle reverse proxying.
  • Docker container for the Signchain Self-hosted Vault (check out the Docker Setup guide).

Basic Traefik Configuration

Below is an example Traefik configuration for routing traffic to the Signchain Self-hosted Vault. Adjust the values as needed to match your environment.

1. Traefik Labels for Vault Container

Add the following labels to your Vault container configuration to integrate with Traefik:

version: '3.8'

services:
  signchain-vault:
    image: ghcr.io/grexie/signchain-vault:latest
    container_name: signchain-vault
    environment:
      - VAULT_STORAGE_BACKEND=mongo
      - PORT=80
      - VAULT_INSECURE_HTTP=true
      - VAULT_MONGO_URL=mongodb://username:password@mongo:27017/signchain-vault
      - VAULT_KEY=vault-key-1,vault-key-2,vault-key-3
      - VAULT_AUTH_SECRET_KEY=your_secure_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault-router.rule=Host(`vault.example.com`)"
      - "traefik.http.routers.vault-router.entrypoints=websecure"
      - "traefik.http.routers.vault-router.tls=true"
      - "traefik.http.services.vault-service.loadbalancer.server.port=80"

Explanation of Labels

  • traefik.enable: Enables Traefik for this container.
  • traefik.http.routers.vault-router.rule: Defines the routing rule. Replace vault.example.com with your desired domain.
  • traefik.http.routers.vault-router.entrypoints: Specifies the entry point Traefik should use (websecure or https for HTTPS, depending on your Traefik configuration).
  • traefik.http.routers.vault-router.tls: Enables TLS.
  • traefik.http.services.vault-service.loadbalancer.server.port: Defines the internal container port (80 if VAULT_INSECURE_HTTP is enabled).

2. Using Let's Encrypt with Traefik

To automatically manage SSL certificates, ensure Traefik is set up to use Let's Encrypt. Here’s a basic example:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "[email protected]"  # Replace with your email
      storage: "acme.json"
      httpChallenge:
        entryPoint: web

In this configuration, Traefik automatically requests certificates from Let's Encrypt for any routes using the websecure entry point.

Security Considerations

  • Restrict access to sensitive endpoints: Ensure that only authorized users and services can access the Signchain Vault by controlling network permissions.
  • Environment Variables: Make sure that sensitive environment variables, such as VAULT_AUTH_SECRET_KEY, are stored securely and accessed only by the container.

Next Steps

Your Traefik setup is now configured to proxy requests to the Signchain Vault securely. Test the setup by visiting your configured domain (e.g., https://vault.example.com) and ensure it routes correctly to your Vault instance. You can check communication between Signchain APIs and your Signchain Vault by checking for the online/offline status on the Signchain Dashboard when viewing the list of configured Vaults. For additional configuration tips, refer to the Security Best Practices section.