fix(vaultwarden): handle reverse proxy

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-11-18 15:47:36 +01:00
parent 4fa3f26d43
commit 69db34f4ff
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
4 changed files with 98 additions and 1 deletions

View file

@ -0,0 +1,10 @@
---
# Defines whether Vaultwarden is deployed behind a reverse proxy
# if so, installs the nginx config file
vaultwarden_reverse_proxy: true
# Subdomain to be used for the reverse proxy configuration
vaultwarden_subdomain: vault
# HTTP port that's both exposed by container and used by the reverse proxy
vaultwarden_http_port: 8888

View file

@ -19,6 +19,16 @@
owner: root owner: root
group: root group: root
- name: Install the reverse proxy config
ansible.builtin.template:
src: templates/nginx.conf
dest: "/etc/nginx/conf.d/vaultwarden.conf"
mode: 0644
owner: root
group: root
when: vaultwarden_reverse_proxy
notify: Restart nginx
- name: Enable the Vaultwarden quadlet - name: Enable the Vaultwarden quadlet
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
daemon_reload: true daemon_reload: true

View file

@ -0,0 +1,77 @@
# {{ ansible_managed }}
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:{{ vaultwarden_http_port }};
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};
if ($host = {{ vaultwarden_subdomain }}.{{ host_fqdn }}) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
# For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};
include ssl.conf;
client_max_body_size 525M;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
#}
}

View file

@ -10,7 +10,7 @@ Image=ghcr.io/dani-garcia/vaultwarden:latest
EnvironmentFile=/etc/vaultwarden.ini EnvironmentFile=/etc/vaultwarden.ini
Network=vaultwarden.network Network=vaultwarden.network
PublishPort=8888:80 PublishPort={{ vaultwarden_http_port }}:80
PublishPort=3012:3012 PublishPort=3012:3012
Volume=vaultwarden-data:/data Volume=vaultwarden-data:/data