mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-09-27 21:08:55 +02:00
added nginx proxy example with downstream proxy communication in proxy_protocol
Dionysius
parent
b1c705ced3
commit
d787a6bb0e
1 changed files with 112 additions and 0 deletions
|
|
@ -475,6 +475,118 @@ Example NixOS nginx config. For more Information about NixOS Deployment see [Dep
|
|||
|
||||
```
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>Nginx with proxy_protocol in front (by dionysius)</summary><br/>
|
||||
|
||||
In this example there is a downstream proxy communicating in [proxy_protocol in front of this nginx](https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/) (E.g. a [LXD proxy device with proxy_protocol enabled](https://linuxcontainers.org/lxd/docs/master/reference/devices_proxy/)). Nginx needs to correctly consume the protocol and headers to forward need to be set from the those. Lines marked with `# <---` have different contents than blackdex example.
|
||||
|
||||
For reference this LXD downstream proxy device configuration:
|
||||
```yaml
|
||||
devices:
|
||||
http:
|
||||
connect: tcp:[::1]:80
|
||||
listen: tcp:[::]:80
|
||||
proxy_protocol: "true"
|
||||
type: proxy
|
||||
https:
|
||||
connect: tcp:[::1]:443
|
||||
listen: tcp:[::]:443
|
||||
proxy_protocol: "true"
|
||||
type: proxy
|
||||
```
|
||||
|
||||
```nginx
|
||||
# proxy_protocol related:
|
||||
|
||||
set_real_ip_from ::1; # which downstream proxy to trust, enter address of your proxy in front
|
||||
real_ip_header proxy_protocol; # optional, if you want nginx to override remote_addr with info from proxy_protocol. depends on which variables you use regarding remote addr in log template and in server or stream blocks.
|
||||
|
||||
# below based on blackdex example:
|
||||
|
||||
# The `upstream` directives ensure that you have a http/1.1 connection
|
||||
# This enables the keepalive option and better performance
|
||||
#
|
||||
# Define the server IP and ports here.
|
||||
upstream vaultwarden-default {
|
||||
zone vaultwarden-default 64k;
|
||||
server 127.0.0.1:8080;
|
||||
keepalive 2;
|
||||
}
|
||||
upstream vaultwarden-ws {
|
||||
zone vaultwarden-ws 64k;
|
||||
server 127.0.0.1:3012;
|
||||
keepalive 2;
|
||||
}
|
||||
|
||||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
if ($host = bitwarden.example.tld) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
listen 80 proxy_protocol; # <---
|
||||
listen [::]:80 proxy_protocol; # <---
|
||||
server_name bitwarden.example.tld;
|
||||
return 404;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2 proxy_protocol; # <---
|
||||
listen [::]:443 ssl http2 proxy_protocol; # <---
|
||||
server_name vaultwarden.example.tld;
|
||||
|
||||
# Specify SSL Config when needed
|
||||
#ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||
#ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
|
||||
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||
|
||||
client_max_body_size 128M;
|
||||
|
||||
## Using a Sub Path Config
|
||||
# Path to the root of your installation
|
||||
# Be sure to add the trailing /, else you could have issues
|
||||
location /vault/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header "Connection" "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://vaultwarden-default;
|
||||
}
|
||||
|
||||
location /vault/notifications/hub/negotiate {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header "Connection" "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://vaultwarden-default;
|
||||
}
|
||||
|
||||
location /vault/notifications/hub {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header Forwarded $remote_addr; # <--- [sic] this is not correct [RFC 7239](https://datatracker.ietf.org/doc/html/rfc7239)
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://vaultwarden-ws;
|
||||
}
|
||||
}
|
||||
```
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>Apache (by fbartels)</summary><br/>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue