From 4837cf71c6cf662f2e6b21e136aceea7e0f6e365 Mon Sep 17 00:00:00 2001 From: tradewind Date: Wed, 7 May 2025 19:42:47 +0800 Subject: [PATCH] Update Bitwarden Nginx configuration for modern SSL, simplified proxy setup, and enhanced compatibility; backup old config. --- sites-available/bitwarden | 84 ++++++++++++++--------------------- sites-available/bitwarden_bak | 68 ++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 51 deletions(-) create mode 100644 sites-available/bitwarden_bak diff --git a/sites-available/bitwarden b/sites-available/bitwarden index 989fe05..b4cb28a 100644 --- a/sites-available/bitwarden +++ b/sites-available/bitwarden @@ -1,68 +1,50 @@ -# The `upstream` directives ensure that you have a http/1.1 connection -# This enables the keepalive option and better performance -# -# Define the server IP and ports here. -upstream vaultwarden-default { - zone vaultwarden-default 64k; - server router.tradewind.vip:10060; - keepalive 2; -} - -# Needed to support websocket connections -# See: https://nginx.org/en/docs/http/websocket.html -# Instead of "close" as stated in the above link we send an empty value. -# Else all keepalive connections will not work. -map $http_upgrade $connection_upgrade { - default upgrade; - '' ""; -} - -# Redirect HTTP to HTTPS +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { listen 80; listen [::]:80; - server_name bitwarden.tradewind.vip; - return 301 https://$host$request_uri; + server_name bitwarden.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } } server { - # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` - listen 443 ssl; - listen [::]:443 ssl; -# http2 on; - server_name bitwarden.tradewind.vip; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name bitwarden.tradewind.vip; + + # Allow large attachments + client_max_body_size 128M; + + location / { + resolver 223.5.5.5; + set $router "router.tradewind.vip"; + proxy_set_header Host $host; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://$router:10060; + } + - # Specify SSL Config when needed ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; - client_max_body_size 525M; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + # replace with the IP address of your resolver + resolver 223.5.5.5; +} - location / { - proxy_pass http://vaultwarden-default; - } - - # Optionally add extra authentication besides the ADMIN_TOKEN - # Remove the comments below `#` and create the htpasswd_file to have it active - # - #location /admin { - # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ - # auth_basic "Private"; - # auth_basic_user_file /path/to/htpasswd_file; - # - # proxy_pass http://vaultwarden-default; - #} -} \ No newline at end of file diff --git a/sites-available/bitwarden_bak b/sites-available/bitwarden_bak new file mode 100644 index 0000000..989fe05 --- /dev/null +++ b/sites-available/bitwarden_bak @@ -0,0 +1,68 @@ +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server router.tradewind.vip:10060; + keepalive 2; +} + +# Needed to support websocket connections +# See: https://nginx.org/en/docs/http/websocket.html +# Instead of "close" as stated in the above link we send an empty value. +# Else all keepalive connections will not work. +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name bitwarden.tradewind.vip; + + return 301 https://$host$request_uri; +} + +server { + # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` + listen 443 ssl; + listen [::]:443 ssl; +# http2 on; + server_name bitwarden.tradewind.vip; + + # Specify SSL Config when needed + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + client_max_body_size 525M; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_pass http://vaultwarden-default; + #} +} \ No newline at end of file