From 1482cb502c40bc82ec3e8f30e7c5e99f763f83a3 Mon Sep 17 00:00:00 2001
From: Nick Fox <njfox@users.noreply.github.com>
Date: Tue, 1 Jan 2019 01:23:17 +0000
Subject: [PATCH] Created Proxy examples (markdown)

---
 Proxy-examples.md | 96 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 Proxy-examples.md

diff --git a/Proxy-examples.md b/Proxy-examples.md
new file mode 100644
index 0000000..09f39ba
--- /dev/null
+++ b/Proxy-examples.md
@@ -0,0 +1,96 @@
+In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
+The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
+
+When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
+
+## Caddy
+
+```nginx
+localhost:443 {
+    # The negotiation endpoint is also proxied to Rocket
+    proxy /notifications/hub/negotiate <SERVER>:80 {
+        transparent
+    }
+    
+    # Notifications redirected to the websockets server
+    proxy /notifications/hub <SERVER>:3012 {
+        websocket
+    }
+    
+    # Proxy the Root directory to Rocket
+    proxy / <SERVER>:80 {
+        transparent
+    }
+
+    tls ${SSLCERTIFICATE} ${SSLKEY}
+}
+```
+
+## Nginx (by shauder)
+```nginx
+server {
+  listen 443 ssl http2;
+  server_name vault.*;
+  
+  # Specify SSL config if using a shared one.
+  #include conf.d/ssl/ssl.conf;
+  
+  location / {
+    proxy_pass http://<SERVER>:80;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+  
+  location /notifications/hub {
+    proxy_pass http://<SERVER>:3012;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+  
+  location /notifications/hub/negotiate {
+    proxy_pass http://<SERVER>:80;
+  }
+}
+```
+
+## Apache (by fbartels)
+```apache
+<VirtualHost *:443>
+    SSLEngine on
+    ServerName bitwarden.$hostname.$domainname
+
+    SSLCertificateFile ${SSLCERTIFICATE}
+    SSLCertificateKeyFile ${SSLKEY}
+    SSLCACertificateFile ${SSLCA}
+    ${SSLCHAIN}
+
+    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
+    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]
+
+    ProxyPass / http://<SERVER>:80/
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+</VirtualHost>
+```
+
+## Traefik (docker-compose example)
+```traefik
+    labels:
+      - 'traefik.frontend.rule=Host:vault.example.local'
+      - 'traefik.docker.network=traefik'
+      - 'traefik.port=80'
+      - 'traefik.enable=true'
+      - 'traefik.web.frontend.rule=Host:vault.example.local'
+      - 'traefik.web.port=80'
+      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
+      - 'traefik.hub.port=3012'
+      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
+      - 'traefik.negotiate.port=80'
+```