Integration with Traefik
To integrate the Signchain Self-hosted Vault with Traefik, a popular reverse proxy and load balancer, you can use Traefik to securely route traffic to your Vault instance. This guide covers configuring Traefik to handle SSL termination and route requests to the vault.
Prerequisites
- A running instance of Traefik configured to handle reverse proxying.
- Docker container for the Signchain Self-hosted Vault (check out the Docker Setup guide).
Basic Traefik Configuration
Below is an example Traefik configuration for routing traffic to the Signchain Self-hosted Vault. Adjust the values as needed to match your environment.
1. Traefik Labels for Vault Container
Add the following labels to your Vault container configuration to integrate with Traefik:
version: '3.8'
services:
signchain-vault:
image: ghcr.io/grexie/signchain-vault:latest
container_name: signchain-vault
environment:
- VAULT_STORAGE_BACKEND=mongo
- PORT=80
- VAULT_INSECURE_HTTP=true
- VAULT_MONGO_URL=mongodb://username:password@mongo:27017/signchain-vault
- VAULT_KEY=vault-key-1,vault-key-2,vault-key-3
- VAULT_AUTH_SECRET_KEY=your_secure_key
labels:
- "traefik.enable=true"
- "traefik.http.routers.vault-router.rule=Host(`vault.example.com`)"
- "traefik.http.routers.vault-router.entrypoints=websecure"
- "traefik.http.routers.vault-router.tls=true"
- "traefik.http.services.vault-service.loadbalancer.server.port=80"
Explanation of Labels
traefik.enable
: Enables Traefik for this container.traefik.http.routers.vault-router.rule
: Defines the routing rule. Replacevault.example.com
with your desired domain.traefik.http.routers.vault-router.entrypoints
: Specifies the entry point Traefik should use (websecure
orhttps
for HTTPS, depending on your Traefik configuration).traefik.http.routers.vault-router.tls
: Enables TLS.traefik.http.services.vault-service.loadbalancer.server.port
: Defines the internal container port (80
ifVAULT_INSECURE_HTTP
is enabled).
2. Using Let's Encrypt with Traefik
To automatically manage SSL certificates, ensure Traefik is set up to use Let's Encrypt. Here’s a basic example:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: "[email protected]" # Replace with your email
storage: "acme.json"
httpChallenge:
entryPoint: web
In this configuration, Traefik automatically requests certificates from Let's Encrypt for any routes using the websecure
entry point.
Security Considerations
- Restrict access to sensitive endpoints: Ensure that only authorized users and services can access the Signchain Vault by controlling network permissions.
- Environment Variables: Make sure that sensitive environment variables, such as
VAULT_AUTH_SECRET_KEY
, are stored securely and accessed only by the container.
Next Steps
Your Traefik setup is now configured to proxy requests to the Signchain Vault securely. Test the setup by visiting your configured domain (e.g., https://vault.example.com
) and ensure it routes correctly to your Vault instance. You can check communication between Signchain APIs and your Signchain Vault by checking for the online
/offline
status on the Signchain Dashboard when viewing the list of configured Vaults. For additional configuration tips, refer to the Security Best Practices section.