mirror of
https://github.com/tommytran732/Vaultwarden-Docker-Compose
synced 2024-12-22 11:21:33 -05:00
/admin configurations
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
3cef449bea
commit
4b66b6e7b6
22
Caddyfile
22
Caddyfile
@ -15,18 +15,24 @@
|
||||
# if you encounter issues.
|
||||
encode gzip
|
||||
|
||||
# Uncomment if you want to block access to /admin
|
||||
#@blocked {
|
||||
# path /admin /admin/*
|
||||
#}
|
||||
#respond @blocked 403
|
||||
|
||||
# Notifications redirected to the WebSocket server
|
||||
reverse_proxy /notifications/hub vaultwarden:3012
|
||||
|
||||
# Proxy everything else to Rocket
|
||||
reverse_proxy vaultwarden:80 {
|
||||
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
|
||||
# log, so that fail2ban can ban the correct IP.
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|
||||
header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"
|
||||
header_down Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'"
|
||||
header_down X-XSS-Protection "0"
|
||||
header_down Expect-CT: "enforce, max-age=63072000"
|
||||
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
|
||||
# log, so that fail2ban can ban the correct IP.
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|
||||
header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"
|
||||
header_down Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'"
|
||||
header_down X-XSS-Protection "0"
|
||||
header_down Expect-CT: "enforce, max-age=63072000"
|
||||
}
|
||||
}
|
@ -2,4 +2,5 @@
|
||||
Vaultwarden Docker-Compose
|
||||
|
||||
1. Update `docker-compose.yml`
|
||||
2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
|
||||
2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
|
||||
3. Uncomment the approprieate lines in `Caddyfile` to block access to `/admin` after you finish configuring your server.
|
@ -13,6 +13,7 @@ services:
|
||||
- vaultwarden:/data
|
||||
networks:
|
||||
- vaultwarden
|
||||
read_only: true
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
cap_drop:
|
||||
@ -35,6 +36,7 @@ services:
|
||||
- LOG_FILE=/data/access.log
|
||||
networks:
|
||||
- vaultwarden
|
||||
read_only: true
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
cap_drop:
|
||||
|
Loading…
Reference in New Issue
Block a user