rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-24 02:39:21 -07:00
Code Issues Packages Projects Releases Wiki Activity

Updated the nginx configurations

Mathijs van Veluw
2022-03-22 10:14:29 +01:00
parent a92103fcf2
commit ca4252cbc2
1 changed files with 106 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
Proxy-examples.md

@@ -101,52 +101,100 @@ You'll have to set `IP_HEADER` to `X-Forwarded-For` instead of `X-Real-IP` in th
</details> </details>
<details> <details>
<summary>Nginx (by shauder)</summary><br/> <summary>Nginx (by blackdex)</summary><br/>
```nginx ```nginx
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8080;
keepalive 2;
}
upstream vaultwarden-ws {
zone vaultwarden-ws 64k;
server 127.0.0.1:3012;
keepalive 2;
}
# Redirect HTTP to HTTPS
server { server {
listen 443 ssl http2; listen 80;
server_name vault.*; listen [::]:80;
server_name vaultwarden.example.tld;
# Specify SSL config if using a shared one. return 301 https://$host$request_uri;
#include conf.d/ssl/ssl.conf; }
# Allow large attachments
client_max_body_size 128M;
location / { server {
proxy_pass http://<SERVER>:80; listen 443 ssl http2;
proxy_set_header Host $host; listen [::]:443 ssl http2;
proxy_set_header X-Real-IP $remote_addr; server_name vaultwarden.example.tld;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://<SERVER>:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://<SERVER>:80;
}
# Optionally add extra authentication besides the ADMIN_TOKEN # Specify SSL Config when needed
# If you don't want this, leave this part out #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
location /admin { #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
# See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
auth_basic "Private";
auth_basic_user_file /path/to/htpasswd_file;
proxy_set_header Host $host; client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://<SERVER>:80; location / {
} proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
location /notifications/hub/negotiate {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
location /notifications/hub {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-ws;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
#}
} }
``` ```
@@ -175,6 +223,9 @@ DOMAIN=https://bitwarden.example.tld/vault/
``` ```
```nginx ```nginx
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here. # Define the server IP and ports here.
upstream vaultwarden-default { upstream vaultwarden-default {
zone vaultwarden-default 64k; zone vaultwarden-default 64k;
@@ -249,23 +300,23 @@ server {
} }
# Optionally add extra authentication besides the ADMIN_TOKEN # Optionally add extra authentication besides the ADMIN_TOKEN
# If you don't want this, leave this part out # Remove the comments below `#` and create the htpasswd_file to have it active
location /vault/admin { #
# See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ #location /vault/admin {
auth_basic "Private"; # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
auth_basic_user_file /path/to/htpasswd_file; # auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
proxy_http_version 1.1; #
proxy_set_header "Connection" ""; # proxy_http_version 1.1;
# proxy_set_header "Connection" "";
proxy_set_header Host $host; #
proxy_set_header X-Real-IP $remote_addr; # proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default; #
} # proxy_pass http://vaultwarden-default;
#}
} }
``` ```
</details> </details>