From d787a6bb0e2dc5350588c7849f33a6bb1b5f8a30 Mon Sep 17 00:00:00 2001
From: Dionysius <1341084+dionysius@users.noreply.github.com>
Date: Wed, 4 Jan 2023 21:57:58 +0100
Subject: [PATCH] added nginx proxy example with downstream proxy communication
in proxy_protocol
---
Proxy-examples.md | 112 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
diff --git a/Proxy-examples.md b/Proxy-examples.md
index f037cca..a4f1e0e 100644
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -475,6 +475,118 @@ Example NixOS nginx config. For more Information about NixOS Deployment see [Dep
```
+
+
+Nginx with proxy_protocol in front (by dionysius)
+
+In this example there is a downstream proxy communicating in [proxy_protocol in front of this nginx](https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/) (E.g. a [LXD proxy device with proxy_protocol enabled](https://linuxcontainers.org/lxd/docs/master/reference/devices_proxy/)). Nginx needs to correctly consume the protocol and headers to forward need to be set from the those. Lines marked with `# <---` have different contents than blackdex example.
+
+For reference this LXD downstream proxy device configuration:
+```yaml
+devices:
+ http:
+ connect: tcp:[::1]:80
+ listen: tcp:[::]:80
+ proxy_protocol: "true"
+ type: proxy
+ https:
+ connect: tcp:[::1]:443
+ listen: tcp:[::]:443
+ proxy_protocol: "true"
+ type: proxy
+```
+
+```nginx
+# proxy_protocol related:
+
+set_real_ip_from ::1; # which downstream proxy to trust, enter address of your proxy in front
+real_ip_header proxy_protocol; # optional, if you want nginx to override remote_addr with info from proxy_protocol. depends on which variables you use regarding remote addr in log template and in server or stream blocks.
+
+# below based on blackdex example:
+
+# The `upstream` directives ensure that you have a http/1.1 connection
+# This enables the keepalive option and better performance
+#
+# Define the server IP and ports here.
+upstream vaultwarden-default {
+ zone vaultwarden-default 64k;
+ server 127.0.0.1:8080;
+ keepalive 2;
+}
+upstream vaultwarden-ws {
+ zone vaultwarden-ws 64k;
+ server 127.0.0.1:3012;
+ keepalive 2;
+}
+
+# Redirect HTTP to HTTPS
+server {
+ if ($host = bitwarden.example.tld) {
+ return 301 https://$host$request_uri;
+ }
+
+ listen 80 proxy_protocol; # <---
+ listen [::]:80 proxy_protocol; # <---
+ server_name bitwarden.example.tld;
+ return 404;
+}
+
+server {
+ listen 443 ssl http2 proxy_protocol; # <---
+ listen [::]:443 ssl http2 proxy_protocol; # <---
+ server_name vaultwarden.example.tld;
+
+ # Specify SSL Config when needed
+ #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+ #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
+ #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+
+ client_max_body_size 128M;
+
+ ## Using a Sub Path Config
+ # Path to the root of your installation
+ # Be sure to add the trailing /, else you could have issues
+ location /vault/ {
+ proxy_http_version 1.1;
+ proxy_set_header "Connection" "";
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://vaultwarden-default;
+ }
+
+ location /vault/notifications/hub/negotiate {
+ proxy_http_version 1.1;
+ proxy_set_header "Connection" "";
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://vaultwarden-default;
+ }
+
+ location /vault/notifications/hub {
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr; # <--- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header Forwarded $remote_addr; # <--- [sic] this is not correct [RFC 7239](https://datatracker.ietf.org/doc/html/rfc7239)
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # <-- or if real_ip_header not set above: $proxy_forwarded_for
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://vaultwarden-ws;
+ }
+}
+```
+
+
Apache (by fbartels)