Designing My Reverse Proxy Chain
Why I Donβt Want Just One Big Nginx
I could put a single Nginx on the VPS and let it handle everything. But I want clearer layers:
- a public-facing entry proxy,
- internal environment-specific proxies,
- and a clear separation between external exposure and internal routing.
The Proxy Roles
The model I have in mind:
Internet
β
βΌ
[ public gateway ] (user: edge-gateway)
β
βββΊ [ test proxy ] (user: proxy-test)
β βββΊ test apps + Vault test
β
βββΊ [ prod proxy ] (user: proxy-prod)
βββΊ prod apps + Vault prod
public gateway:- terminates TLS from the internet,
- handles SNI for domains,
- forwards to internal proxies on private ports.
- environment proxies:
- handle environment-specific routing,
- can enforce mTLS to Vault,
- can apply per-environment headers, CSP, etc.
Where Vault Fits
- Vault test/prod run behind the internal proxies.
- Proxies talk to Vault with client certificates issued by the environment-specific PKI mounts.
- External clients never see Vault directly.
This chain also maps nicely to the Unix user layout and makes it easier to reason about logs and failures.