You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
70 lines
2.3 KiB
70 lines
2.3 KiB
5 years ago
|
server {
|
||
|
listen 443 ssl http2;
|
||
|
server_name {{ bitwarden_public_url | urlsplit('hostname') }};
|
||
|
|
||
|
include /etc/nginx/ansible_conf.d/acme.inc;
|
||
|
|
||
|
{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %}
|
||
|
ssl_certificate {{ bitwarden_cert_path }};
|
||
|
ssl_certificate_key {{ bitwarden_key_path }};
|
||
|
{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
|
||
|
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
|
||
|
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem;
|
||
|
{% elif bitwarden_letsencrypt_cert is string %}
|
||
|
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem;
|
||
|
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem;
|
||
|
{% endif %}
|
||
|
|
||
|
root {{ bitwarden_root_dir }}/web-vault;
|
||
|
|
||
|
client_max_body_size 512M;
|
||
|
|
||
|
if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
|
||
|
return 405;
|
||
|
}
|
||
|
|
||
|
location /notifications/hub {
|
||
|
proxy_pass http://localhost:{{ bitwarden_ws_port }};
|
||
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
proxy_set_header Connection "upgrade";
|
||
|
}
|
||
|
location /notifications/hub/negotiate {
|
||
|
proxy_pass http://localhost:{{ bitwarden_http_port }};
|
||
|
}
|
||
|
|
||
|
location @proxy {
|
||
|
proxy_pass http://localhost:{{ bitwarden_http_port }};
|
||
|
}
|
||
|
|
||
|
location / {
|
||
|
try_files $uri $uri/index.html @proxy;
|
||
|
}
|
||
|
|
||
|
add_header X-Frame-Options "DENY";
|
||
|
add_header X-Content-Type-Options "nosniff";
|
||
|
add_header X-XSS-Protection "1; mode=block";
|
||
|
add_header Strict-Transport-Security "$hsts_header";
|
||
|
|
||
|
# Send info about the original request to the backend
|
||
|
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
|
||
|
proxy_set_header X-Real-IP "$remote_addr";
|
||
|
proxy_set_header X-Forwarded-Proto "$scheme";
|
||
|
proxy_set_header X-Forwarded-Host "$host";
|
||
|
proxy_set_header Host "$host";
|
||
|
|
||
|
# Set the timeout to read responses from the backend
|
||
|
proxy_read_timeout 60s;
|
||
|
|
||
|
# Enable Keep Alive to the backend
|
||
|
proxy_socket_keepalive on;
|
||
|
|
||
|
# Disable buffering large files
|
||
|
proxy_max_temp_file_size 5m;
|
||
|
|
||
|
allow 127.0.0.1;
|
||
|
{% for ip in bitwarden_web_src_ip %}
|
||
|
allow {{ ip }};
|
||
|
{% endfor %}
|
||
|
deny all;
|
||
|
}
|