mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-03-25 03:09:20 -07:00
added nginx proxy example with downstream proxy communication in proxy_protocol
Dionysius
@@ -475,6 +475,118 @@ Example NixOS nginx config. For more Information about NixOS Deployment see [Dep
|
|||||||
|
|
||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>Nginx with proxy_protocol in front (by dionysius)</summary><br/>
|
||||||
|
|
||||||
|
In this example there is a downstream proxy communicating in [proxy_protocol in front of this nginx](https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/) (E.g. a [LXD proxy device with proxy_protocol enabled](https://linuxcontainers.org/lxd/docs/master/reference/devices_proxy/)). Nginx needs to correctly consume the protocol and headers to forward need to be set from the those. Lines marked with `# <---` have different contents than blackdex example.
|
||||||
|
|
||||||
|
For reference this LXD downstream proxy device configuration:
|
||||||
|
```yaml
|
||||||
|
devices:
|
||||||
|
http:
|
||||||
|
connect: tcp:[::1]:80
|
||||||
|
listen: tcp:[::]:80
|
||||||
|
proxy_protocol: "true"
|
||||||
|
type: proxy
|
||||||
|
https:
|
||||||
|
connect: tcp:[::1]:443
|
||||||
|
listen: tcp:[::]:443
|
||||||
|
proxy_protocol: "true"
|
||||||
|
type: proxy
|
||||||
|
```
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
# proxy_protocol related:
|
||||||
|
|
||||||
|
set_real_ip_from ::1; # which downstream proxy to trust, enter address of your proxy in front
|
||||||
|
real_ip_header proxy_protocol; # optional, if you want nginx to override remote_addr with info from proxy_protocol. depends on which variables you use regarding remote addr in log template and in server or stream blocks.
|
||||||
|
|
||||||
|
# below based on blackdex example:
|
||||||
|
|
||||||
|
# The `upstream` directives ensure that you have a http/1.1 connection
|
||||||
|
# This enables the keepalive option and better performance
|
||||||
|
#
|
||||||
|
# Define the server IP and ports here.
|
||||||
|
upstream vaultwarden-default {
|
||||||
|
zone vaultwarden-default 64k;
|
||||||
|
server 127.0.0.1:8080;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
upstream vaultwarden-ws {
|
||||||
|
zone vaultwarden-ws 64k;
|
||||||
|
server 127.0.0.1:3012;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Redirect HTTP to HTTPS
|
||||||
|
server {
|
||||||
|
if ($host = bitwarden.example.tld) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
listen 80 proxy_protocol; # <---
|
||||||
|
listen [::]:80 proxy_protocol; # <---
|
||||||
|
server_name bitwarden.example.tld;
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2 proxy_protocol; # <---
|
||||||
|
listen [::]:443 ssl http2 proxy_protocol; # <---
|
||||||
|
server_name vaultwarden.example.tld;
|
||||||
|
|
||||||
|
# Specify SSL Config when needed
|
||||||
|
#ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||||
|
#ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
|
||||||
|
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||||
|
|
||||||
|
client_max_body_size 128M;
|
||||||
|
|
||||||
|
## Using a Sub Path Config
|
||||||
|
# Path to the root of your installation
|
||||||
|
# Be sure to add the trailing /, else you could have issues
|
||||||
|
location /vault/ {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header "Connection" "";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://vaultwarden-default;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /vault/notifications/hub/negotiate {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header "Connection" "";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://vaultwarden-default;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /vault/notifications/hub {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header Forwarded $remote_addr; # <--- [sic] this is not correct [RFC 7239](https://datatracker.ietf.org/doc/html/rfc7239)
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://vaultwarden-ws;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>Apache (by fbartels)</summary><br/>
|
<summary>Apache (by fbartels)</summary><br/>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user