tradewind/nginx-conf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Bitwarden Nginx configuration for modern SSL, simplified proxy setup, and enhanced compatibility; backup old config.

Browse Source
This commit is contained in:
tradewind 2025-05-07 19:42:47 +08:00
parent ae96bf59d6
commit 4837cf71c6
2 changed files with 101 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
sites-available/bitwarden
View File

@ -1,68 +1,50 @@
# The `upstream` directives ensure that you have a http/1.1 connection # generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration
# This enables the keepalive option and better performance # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server router.tradewind.vip:10060;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name bitwarden.tradewind.vip; server_name bitwarden.tradewind.vip;
location / {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
}
} }
server { server {
# For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` listen 443 ssl http2;
listen 443 ssl; listen [::]:443 ssl http2;
listen [::]:443 ssl;
# http2 on;
server_name bitwarden.tradewind.vip; server_name bitwarden.tradewind.vip;
# Specify SSL Config when needed # Allow large attachments
client_max_body_size 128M;
location / {
resolver 223.5.5.5;
set $router "router.tradewind.vip";
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://$router:10060;
}
ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;
client_max_body_size 525M; # modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
proxy_http_version 1.1; # HSTS (ngx_http_headers_module is required) (63072000 seconds)
proxy_set_header Upgrade $http_upgrade; add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host; # replace with the IP address of your resolver
proxy_set_header X-Real-IP $remote_addr; resolver 223.5.5.5;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden-default;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_pass http://vaultwarden-default;
#}
} }

68
sites-available/bitwarden_bak Normal file
View File

@ -0,0 +1,68 @@
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server router.tradewind.vip:10060;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name bitwarden.tradewind.vip;
return 301 https://$host$request_uri;
}
server {
# For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
# http2 on;
server_name bitwarden.tradewind.vip;
# Specify SSL Config when needed
ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden-default;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_pass http://vaultwarden-default;
#}
}