Docker Compose Setup

In this section, I'll show you how to set up HashiCorp Vault using Docker Compose.

• Run Vault in server mode.
• Use file storage for easy cleanup.
• Expose the Vault UI on http://localhost:8200 and use NGINX Proxy Manager to encrypt the connection.
• Store data in /vault/data on the host machine.

IMPORTANT

Make sure to place the vault.hcl config file in the same directory as the compose file

services:
  vault:
    image: hashicorp/vault:1.19
    container_name: vault
    restart: always
    volumes:
      - .:/vault/config
      - ./vault/data:/vault/data
    ports:
      - "8200:8200"
    environment:
      VAULT_ADDR: "http://127.0.0.1:8200"
    entrypoint: ["vault", "server", "-config=/vault/config/vault.hcl"]
    cap_add:
      - IPC_LOCK  # Prevent memory swapping

Usage

Create the data directory and start the compose stack:

sudo mkdir -p /vault/data
sudo docker compose up -d

You can connect now to the vault ui at http://localhost:8200

Encrypt with TLS/SSL

I'll be using NGINX Proxy Manager to encrypt the connection with a self-signed certificate. Refer to the NGINX Proxy Manager guide to set it up.

Since our vault container is running on vault_default, and our npm (Nginx Proxy Manager) container is running on npm_default, we need to connect them.

Run this command:

docker network connect npm_default vault

This will attach the Vault container to the NPM network so NPM can communicate with it.

1. Create a New Proxy Host in Nginx Proxy Manager

1. Log in to Nginx Proxy Manager.
2. Go to Proxy Hosts and click Add Proxy Host.
3. Fill in the details:
   • Domain Name: Use your domain/subdomain (e.g., vault.yourdomain.com).
   • Forward Hostname / IP: Set this to $CONTAINER_NAME in our case vault or the internal Docker network name of the Vault container.
   • Forward Port: 8200.
   • Scheme: Select http (if Vault is running with HTTP) or https (if Vault is already using self-signed SSL).

2. Enable SSL with Let's Encrypt

1. Go to the SSL tab.
2. Select Request a new SSL Certificate.
3. Enable:
   • Force SSL (redirects all HTTP traffic to HTTPS).
   • HTTP/2 Support (optional but recommended).
   • HSTS (HTTP Strict Transport Security) (optional for better security).
4. Click Save.

This will automatically request and apply a Let’s Encrypt SSL certificate.

3. (Optional) Adjust Vault Settings for HTTPS

If your Vault instance is running without HTTPS, it's fine to use NPM as the SSL termination point.

However, if you want Vault to run on HTTPS internally as well:

1. Generate SSL Certificates for Vault using Let's Encrypt or a self-signed cert.

2. Modify the Vault configuration (config.hcl or environment variables) to use TLS:

   listener "tcp" {
     address     = "0.0.0.0:8200"
     tls_cert_file = "/path/to/fullchain.pem"
     tls_key_file  = "/path/to/privkey.pem"
   }

3. Restart Vault with the updated config.

4. Test Your Setup

• Open your browser and go to https://vault.yourdomain.com.
• Verify that the SSL certificate is valid.
• If Vault was originally HTTP-only, it should now be accessible securely via HTTPS.

Troubleshoot Connection from NPM to Vault

To test if NPM can reach Vault, run:

docker exec -it npm-app-1 sh

Inside the NPM container, try:

curl -v http://vault:8200/v1/sys/health

If you get a 200 response, NPM can reach Vault.