From 901872a10b3a40a56a4e8816b7e0e06c0ac126f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20Sard=C3=A1?= <asardaes@users.noreply.github.com>
Date: Sat, 4 Nov 2023 13:21:30 +0100
Subject: [PATCH] Update Cloudflare info

---
 Proxy-examples.md | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/Proxy-examples.md b/Proxy-examples.md
index 0ccb23b..dfd2ca2 100644
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -51,21 +51,27 @@ If you prefer, you can also directly specify a value instead of substituting an
 
   # Uncomment to improve security (WARNING: only use if you understand the implications!)
   # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
-  # header {
-  #      # Enable HTTP Strict Transport Security (HSTS)
-  #      Strict-Transport-Security "max-age=31536000;"
-  #      # Enable cross-site filter (XSS) and tell browser to block detected attacks
-  #      X-XSS-Protection "1; mode=block"
-  #      # Disallow the site to be rendered within a frame (clickjacking protection)
-  #      X-Frame-Options "SAMEORIGIN"
-  #      # Prevent search engines from indexing (optional)
-  #      X-Robots-Tag "none"
-  #      # Server name removing
-  #      -Server
+  # header / {
+  #	# Enable HTTP Strict Transport Security (HSTS)
+  #	Strict-Transport-Security "max-age=31536000;"
+  #	# Disable cross-site filter (XSS)
+  #	X-XSS-Protection "0"
+  #	# Disallow the site to be rendered within a frame (clickjacking protection)
+  #	X-Frame-Options "DENY"
+  #	# Prevent search engines from indexing (optional)
+  #	X-Robots-Tag "noindex, nofollow"
+  #	# Disallow sniffing of X-Content-Type-Options
+  #	X-Content-Type-Options "nosniff"
+  #	# Server name removing
+  #	-Server
+  #	# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
+  #	-X-Powered-By
+  #	# Remove Last-Modified because etag is the same and is as effective
+  #	-Last-Modified
   # }
 
   # Uncomment to allow access to the admin interface only from local networks
-# import admin_redir
+  # import admin_redir
 
   # Proxy everything to Rocket
   # if located at a sub-path the reverse_proxy line will look like:
@@ -74,6 +80,9 @@ If you prefer, you can also directly specify a value instead of substituting an
        # Send the true remote IP to Rocket, so that Vaultwarden can put this in the
        # log, so that fail2ban can ban the correct IP.
        header_up X-Real-IP {remote_host}
+       # If you use Cloudlfare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip
+       # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
+       # and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4
   }
 }
 ```