dotfiles/roles/vaultwarden/templates/nginx.conf

# {{ ansible_managed }}

# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:{{ vaultwarden_http_port }};
  keepalive 2;
}

# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};

    if ($host = {{ vaultwarden_subdomain }}.{{ host_fqdn }}) {
        return 301 https://$host$request_uri;
    }
    return 404;
}

server {
    # For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};

    include ssl.conf;

    client_max_body_size 525M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header Upgrade $http_upgrade;
    #  proxy_set_header Connection $connection_upgrade;
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
}
fix(vaultwarden): handle reverse proxy Signed-off-by: Matej Focko <me@mfocko.xyz> 2024-11-18 15:47:36 +01:00			`# {{ ansible_managed }}`

			# The `upstream` directives ensure that you have a http/1.1 connection
			`# This enables the keepalive option and better performance`
			`#`
			`# Define the server IP and ports here.`
			`upstream vaultwarden-default {`
			`zone vaultwarden-default 64k;`
			`server 127.0.0.1:{{ vaultwarden_http_port }};`
			`keepalive 2;`
			`}`

			`# Needed to support websocket connections`
			`# See: https://nginx.org/en/docs/http/websocket.html`
			`# Instead of "close" as stated in the above link we send an empty value.`
			`# Else all keepalive connections will not work.`
			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' "";`
			`}`

			`# Redirect HTTP to HTTPS`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};`

			`if ($host = {{ vaultwarden_subdomain }}.{{ host_fqdn }}) {`
			`return 301 https://$host$request_uri;`
			`}`
			`return 404;`
			`}`

			`server {`
			# For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
			`listen 443 ssl;`
			`listen [::]:443 ssl;`
			`http2 on;`
			`server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};`

			`include ssl.conf;`

			`client_max_body_size 525M;`

			`location / {`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`proxy_pass http://vaultwarden-default;`
			`}`

			`# Optionally add extra authentication besides the ADMIN_TOKEN`
			# Remove the comments below `#` and create the htpasswd_file to have it active
			`#`
			`#location /admin {`
			`# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/`
			`# auth_basic "Private";`
			`# auth_basic_user_file /path/to/htpasswd_file;`
			`#`
			`# proxy_http_version 1.1;`
			`# proxy_set_header Upgrade $http_upgrade;`
			`# proxy_set_header Connection $connection_upgrade;`
			`#`
			`# proxy_set_header Host $host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`#`
			`# proxy_pass http://vaultwarden-default;`
			`#}`
			`}`