Proxy

Learn about using Proxy for authentication, caching, and secure communication to streamline vHSM adoption.

vHSM Proxy simplifies application integration with vHSM by acting as an API proxy. It offers authentication, caching, and secure communication to streamline vHSM adoption.

vHSM Proxy provides the following key features:

Auto-Auth: Automatically authenticates to vHSM and manages token renewal.
API Proxy: Acts as a proxy for vHSM's API, optionally enforcing Auto-Auth token usage.
Caching: Enables client-side caching of tokens and leased secrets, managing renewals automatically.

Features

Auto-Auth

vHSM Proxy supports automatic authentication in diverse environments. Auto-Auth functionality is configured using an auto_auth stanza. See Auto-Auth documentation for details.

API Proxy

vHSM Proxy serves as an API gateway to Vault, allowing communication via a listener. It can be configured to enforce Auto-Auth token usage. Configure API Proxy behavior using the api_proxy stanza. See API Proxy documentation for more details.

Caching

vHSM Proxy enables client-side caching of authentication tokens and leased secrets. Configuration is managed via the cache stanza. See Caching documentation for details.

API Endpoints

Quit API

Triggers shutdown of the proxy. Disabled by default; enable it using the proxy_api stanza.

Method: POST
Path: /proxy/v1/quit
Security Consideration: Should only be enabled on trusted interfaces as it lacks authentication.

Cache API

For cache API details, refer to the Caching documentation.

Running vHSM Proxy

Install the vHSM binary on the application server (VM, Kubernetes pod, etc.).
Create a vHSM Proxy configuration file (proxy-config.hcl).
Start vHSM Proxy with the configuration file:
```
vhsm proxy -config=/etc/vhsm/proxy-config.hcl
```
To display help options:
```
vault proxy -h
```

Configuration File Usage

Provide a single configuration file.
Specify multiple configuration files (merged at runtime).
Define a directory of configuration files (merged at runtime).

Example configuration

pid_file = "./pidfile"

vault {
  address = "https://vault.example.com:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method "aws" {
    mount_path = "auth/aws-subaccount"
    config = {
      type = "iam"
      role = "foobar"
    }
  }
  sink "file" {
    config = {
      path = "/tmp/token-file"
    }
  }
}

cache {}

api_proxy {
  use_auto_auth_token = true
}

listener "unix" {
  address = "/path/to/socket"
  tls_disable = true
  agent_api {
    enable_quit = true
  }
}

listener "tcp" {
  address = "127.0.0.1:8100"
  tls_disable = true
}

PreviousParameters NextProxy Configuration

Last updated 6 days ago

Was this helpful?

pid_file = "./pidfile" vault { address = "https://vault.example.com:8200" retry { num_retries = 5 } } auto_auth { method "aws" { mount_path = "auth/aws-subaccount" config = { type = "iam" role = "foobar" } } sink "file" { config = { path = "/tmp/token-file" } } } cache {} api_proxy { use_auto_auth_token = true } listener "unix" { address = "/path/to/socket" tls_disable = true agent_api { enable_quit = true } } listener "tcp" { address = "127.0.0.1:8100" tls_disable = true }