2022-09-11 15:44:04 -04:00
|
|
|
{$DOMAIN}:443 {
|
|
|
|
log {
|
|
|
|
level INFO
|
|
|
|
output file {$LOG_FILE} {
|
|
|
|
roll_size 10MB
|
|
|
|
roll_keep 10
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
|
|
|
|
tls {$EMAIL}
|
|
|
|
|
|
|
|
# This setting may have compatibility issues with some browsers
|
|
|
|
# (e.g., attachment downloading on Firefox). Try disabling this
|
|
|
|
# if you encounter issues.
|
|
|
|
encode gzip
|
|
|
|
|
2022-09-15 23:58:51 -04:00
|
|
|
# Uncomment if you want to block access to /admin
|
|
|
|
#@blocked {
|
|
|
|
# path /admin /admin/*
|
|
|
|
#}
|
|
|
|
#respond @blocked 403
|
|
|
|
|
2022-09-11 15:44:04 -04:00
|
|
|
# Notifications redirected to the WebSocket server
|
|
|
|
reverse_proxy /notifications/hub vaultwarden:3012
|
|
|
|
|
|
|
|
# Proxy everything else to Rocket
|
2023-04-12 06:29:14 -04:00
|
|
|
reverse_proxy vaultwarden:8080 {
|
2022-09-15 23:58:51 -04:00
|
|
|
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
|
|
|
|
# log, so that fail2ban can ban the correct IP.
|
|
|
|
header_up X-Real-IP {remote_host}
|
|
|
|
header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|
2023-11-07 03:31:19 -05:00
|
|
|
header_down +Permissions-Policy "browsing-topics=(), hid=(), idle-detection=(), interest-cohort=(), serial=()"
|
2023-08-29 08:14:17 -04:00
|
|
|
header_down +Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"
|
2022-09-15 23:58:51 -04:00
|
|
|
header_down X-XSS-Protection "0"
|
2022-11-23 01:57:56 -05:00
|
|
|
header_down Cross-Origin-Opener-Policy same-origin
|
|
|
|
header_down Cross-Origin-Resource-Policy : same-origin
|
2022-09-11 15:44:04 -04:00
|
|
|
}
|
2022-11-23 01:57:56 -05:00
|
|
|
}
|