From d787a6bb0e2dc5350588c7849f33a6bb1b5f8a30 Mon Sep 17 00:00:00 2001
From: Dionysius <1341084+dionysius@users.noreply.github.com>
Date: Wed, 4 Jan 2023 21:57:58 +0100
Subject: [PATCH] added nginx proxy example with downstream proxy communication
 in proxy_protocol

---
 Proxy-examples.md | 112 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)

diff --git a/Proxy-examples.md b/Proxy-examples.md
index f037cca..a4f1e0e 100644
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -475,6 +475,118 @@ Example NixOS nginx config. For more Information about NixOS Deployment see [Dep
 
 ```
 </details>
+
+<details>
+<summary>Nginx with proxy_protocol in front (by dionysius)</summary><br/>
+
+In this example there is a downstream proxy communicating in [proxy_protocol in front of this nginx](https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/) (E.g. a [LXD proxy device with proxy_protocol enabled](https://linuxcontainers.org/lxd/docs/master/reference/devices_proxy/)). Nginx needs to correctly consume the protocol and headers to forward need to be set from the those. Lines marked with `# <---` have different contents than blackdex example.
+
+For reference this LXD downstream proxy device configuration:
+```yaml
+devices:
+  http:
+    connect: tcp:[::1]:80
+    listen: tcp:[::]:80
+    proxy_protocol: "true"
+    type: proxy
+  https:
+    connect: tcp:[::1]:443
+    listen: tcp:[::]:443
+    proxy_protocol: "true"
+    type: proxy
+```
+
+```nginx
+# proxy_protocol related:
+
+set_real_ip_from ::1; # which downstream proxy to trust, enter address of your proxy in front
+real_ip_header proxy_protocol; # optional, if you want nginx to override remote_addr with info from proxy_protocol. depends on which variables you use regarding remote addr in log template and in server or stream blocks.
+
+# below based on blackdex example:
+
+# The `upstream` directives ensure that you have a http/1.1 connection
+# This enables the keepalive option and better performance
+#
+# Define the server IP and ports here.
+upstream vaultwarden-default {
+  zone vaultwarden-default 64k;
+  server 127.0.0.1:8080;
+  keepalive 2;
+}
+upstream vaultwarden-ws {
+  zone vaultwarden-ws 64k;
+  server 127.0.0.1:3012;
+  keepalive 2;
+}
+
+# Redirect HTTP to HTTPS
+server {
+    if ($host = bitwarden.example.tld) {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 80 proxy_protocol; # <---
+    listen [::]:80 proxy_protocol; # <---
+    server_name bitwarden.example.tld;
+    return 404;
+}
+
+server {
+    listen 443 ssl http2 proxy_protocol; # <---
+    listen [::]:443 ssl http2 proxy_protocol; # <---
+    server_name vaultwarden.example.tld;
+
+    # Specify SSL Config when needed
+    #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+    #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
+    #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+
+    client_max_body_size 128M;
+
+    ## Using a Sub Path Config
+    # Path to the root of your installation
+    # Be sure to add the trailing /, else you could have issues
+    location /vault/ {
+      proxy_http_version 1.1;
+      proxy_set_header "Connection" "";
+
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_pass http://vaultwarden-default;
+    }
+
+    location /vault/notifications/hub/negotiate {
+      proxy_http_version 1.1;
+      proxy_set_header "Connection" "";
+
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_pass http://vaultwarden-default;
+    }
+
+    location /vault/notifications/hub {
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header Forwarded $remote_addr; # <--- [sic] this is not correct [RFC 7239](https://datatracker.ietf.org/doc/html/rfc7239)
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_pass http://vaultwarden-ws;
+    }
+}
+```
+</details>
+
 <details>
 <summary>Apache (by fbartels)</summary><br/>