Why I Don’t Want Just One Big Nginx

I could put a single Nginx on the VPS and let it handle everything. But I want clearer layers:

  • a public-facing entry proxy,
  • internal environment-specific proxies,
  • and a clear separation between external exposure and internal routing.

The Proxy Roles

The model I have in mind:

Internet
 β”‚
 β–Ό
[ public gateway ]  (user: edge-gateway)
 β”‚
 β”œβ”€β–Ί [ test proxy ]  (user: proxy-test)
 β”‚       └─► test apps + Vault test
 β”‚
 └─► [ prod proxy ]  (user: proxy-prod)
         └─► prod apps + Vault prod
  • public gateway:
  • terminates TLS from the internet,
  • handles SNI for domains,
  • forwards to internal proxies on private ports.
  • environment proxies:
  • handle environment-specific routing,
  • can enforce mTLS to Vault,
  • can apply per-environment headers, CSP, etc.

Where Vault Fits

  • Vault test/prod run behind the internal proxies.
  • Proxies talk to Vault with client certificates issued by the environment-specific PKI mounts.
  • External clients never see Vault directly.

This chain also maps nicely to the Unix user layout and makes it easier to reason about logs and failures.