Why I Don’t Want Just One Big Nginx

I could put a single Nginx on the VPS and let it handle everything. But I want clearer layers:

  • a public-facing entry proxy,
  • internal environment-specific proxies,
  • and a clear separation between external exposure and internal routing.

The Proxy Roles

The model I have in mind:

Internet
 β”‚
 β–Ό
[ mainproxy ]  (user: proxyprod)
 β”‚
 β”œβ”€β–Ί [ proxytest ]  (user: proxytest)
 β”‚       └─► test apps + Vault test
 β”‚
 └─► [ proxyprod ]  (user: proxyprod)
         └─► prod apps + Vault prod
  • mainproxy:
  • terminates TLS from the internet,
  • handles SNI for domains,
  • forwards to internal proxies on private ports.
  • proxytest / proxyprod:
  • handle environment-specific routing,
  • can enforce mTLS to Vault,
  • can apply per-environment headers, CSP, etc.

Where Vault Fits

  • Vault test/prod run behind the internal proxies.
  • Proxies talk to Vault with client certificates issued by pki-test/pki-prod.
  • External clients never see Vault directly.

This chain also maps nicely to the Unix user layout and makes it easier to reason about logs and failures.