rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-25 11:19:21 -07:00
Code Issues Packages Projects Releases Wiki Activity

Update Cloudflare info

Alexis Sardá
2023-11-04 13:21:30 +01:00
parent fed99a980c
commit 901872a10b
1 changed files with 21 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
Proxy-examples.md

@@ -51,21 +51,27 @@ If you prefer, you can also directly specify a value instead of substituting an
# Uncomment to improve security (WARNING: only use if you understand the implications!) # Uncomment to improve security (WARNING: only use if you understand the implications!)
# If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
# header { # header / {
# # Enable HTTP Strict Transport Security (HSTS) # # Enable HTTP Strict Transport Security (HSTS)
# Strict-Transport-Security "max-age=31536000;" # Strict-Transport-Security "max-age=31536000;"
# # Enable cross-site filter (XSS) and tell browser to block detected attacks # # Disable cross-site filter (XSS)
# X-XSS-Protection "1; mode=block" # X-XSS-Protection "0"
# # Disallow the site to be rendered within a frame (clickjacking protection) # # Disallow the site to be rendered within a frame (clickjacking protection)
# X-Frame-Options "SAMEORIGIN" # X-Frame-Options "DENY"
# # Prevent search engines from indexing (optional) # # Prevent search engines from indexing (optional)
# X-Robots-Tag "none" # X-Robots-Tag "noindex, nofollow"
# # Server name removing # # Disallow sniffing of X-Content-Type-Options
# -Server # X-Content-Type-Options "nosniff"
# # Server name removing
# -Server
# # Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
# -X-Powered-By
# # Remove Last-Modified because etag is the same and is as effective
# -Last-Modified
# } # }
# Uncomment to allow access to the admin interface only from local networks # Uncomment to allow access to the admin interface only from local networks
# import admin_redir # import admin_redir
# Proxy everything to Rocket # Proxy everything to Rocket
# if located at a sub-path the reverse_proxy line will look like: # if located at a sub-path the reverse_proxy line will look like:
@@ -74,6 +80,9 @@ If you prefer, you can also directly specify a value instead of substituting an
# Send the true remote IP to Rocket, so that Vaultwarden can put this in the # Send the true remote IP to Rocket, so that Vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP. # log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
# If you use Cloudlfare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip
# See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
# and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4
} }
} }
``` ```