From 7f8ed12f44b575e54aae81eb28307c961a39e161 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sat, 28 Dec 2019 15:14:31 +0100
Subject: [PATCH] Add Ansible inventory example that uses DebOps to configure
 nginx as a reverse proxy

---
 Proxy-examples.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Proxy-examples.md b/Proxy-examples.md
index 5d1876a..b784fcd 100644
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -76,6 +76,62 @@ server {
 }
 ```
 
+## Nginx (by ypid)
+
+Ansible inventory example that uses DebOps to configure nginx as a reverse proxy for bitwarden_rs. I choose to go with the PSK in the URL for additional security to not expose the API to everyone on the Internet because the client apps do not support client certificates yet (I tested it).
+
+```YAML
+bitwarden__fqdn: 'vault.example.org'
+
+nginx__upstreams:
+
+  - name: 'bitwarden'
+    type: 'default'
+    enabled: True
+    server: 'localhost:8000'
+
+nginx__servers:
+
+  - name: '{{ bitwarden__fqdn }}'
+    filename: 'debops.bitwarden'
+    by_role: 'debops.bitwarden'
+    favicon: False
+    root: '/usr/share/bitwarden_rs/web-vault'
+
+    location_list:
+
+      - pattern: '/'
+        options: |-
+          deny all;
+
+      - pattern: '= /ekkP9wtJ_psk_changeme_Hr9CCTud'
+        options: |-
+          return 307 $scheme://$host$request_uri/;
+
+      ## All the security HTTP headers would then need to be set by nginx as well.
+      # - pattern: '/ekkP9wtJ_psk_changeme_Hr9CCTud/'
+      #   options: |-
+      #     alias /usr/share/bitwarden_rs/web-vault/;
+
+      - pattern: '/ekkP9wtJ_psk_changeme_Hr9CCTud/'
+        options: |-
+          proxy_set_header Host              $host;
+          # proxy_set_header X-Real-IP         $remote_addr;
+          # proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-Port  443;
+
+          proxy_pass http://bitwarden;
+
+      ## Do not use the icons features as long as it reveals all domains from
+      ## our credentials to the server.
+      - pattern: '/ekkP9wtJ_psk_changeme_Hr9CCTud/icons/'
+        options: |-
+          access_log off;
+          log_not_found off;
+          deny all;
+```
+
 ## Apache (by fbartels)
 ```apache
 <VirtualHost *:443>