# The `upstream` directives ensure that you have a http/1.1 connection # This enables the keepalive option and better performance # # Define the server IP and ports here. upstream vaultwarden-default { zone vaultwarden-default 64k; server router.tradewind.vip:10060; keepalive 2; } # Needed to support websocket connections # See: https://nginx.org/en/docs/http/websocket.html # Instead of "close" as stated in the above link we send an empty value. # Else all keepalive connections will not work. map $http_upgrade $connection_upgrade { default upgrade; '' ""; } # Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name bitwarden.tradewind.vip; return 301 https://$host$request_uri; } server { # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` listen 443 ssl; listen [::]:443 ssl; # http2 on; server_name bitwarden.tradewind.vip; # Specify SSL Config when needed ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; client_max_body_size 525M; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; location / { proxy_pass http://vaultwarden-default; } # Optionally add extra authentication besides the ADMIN_TOKEN # Remove the comments below `#` and create the htpasswd_file to have it active # #location /admin { # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ # auth_basic "Private"; # auth_basic_user_file /path/to/htpasswd_file; # # proxy_pass http://vaultwarden-default; #} }