From 4b66b6e7b63631d6b39ba26a6b063d10e01a0466 Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 15 Sep 2022 23:58:51 -0400 Subject: [PATCH] /admin configurations Signed-off-by: Tommy --- Caddyfile | 22 ++++++++++++++-------- README.md | 3 ++- docker-compose.yml | 2 ++ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/Caddyfile b/Caddyfile index 66bda8e..3b2a2aa 100644 --- a/Caddyfile +++ b/Caddyfile @@ -15,18 +15,24 @@ # if you encounter issues. encode gzip + # Uncomment if you want to block access to /admin + #@blocked { + # path /admin /admin/* + #} + #respond @blocked 403 + # Notifications redirected to the WebSocket server reverse_proxy /notifications/hub vaultwarden:3012 # Proxy everything else to Rocket reverse_proxy vaultwarden:80 { - # Send the true remote IP to Rocket, so that vaultwarden can put this in the - # log, so that fail2ban can ban the correct IP. - header_up X-Real-IP {remote_host} - header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" - header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()" - header_down Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'" - header_down X-XSS-Protection "0" - header_down Expect-CT: "enforce, max-age=63072000" + # Send the true remote IP to Rocket, so that vaultwarden can put this in the + # log, so that fail2ban can ban the correct IP. + header_up X-Real-IP {remote_host} + header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" + header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()" + header_down Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'" + header_down X-XSS-Protection "0" + header_down Expect-CT: "enforce, max-age=63072000" } } \ No newline at end of file diff --git a/README.md b/README.md index c4f076e..bbdb253 100644 --- a/README.md +++ b/README.md @@ -2,4 +2,5 @@ Vaultwarden Docker-Compose 1. Update `docker-compose.yml` -2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want. \ No newline at end of file +2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want. +3. Uncomment the approprieate lines in `Caddyfile` to block access to `/admin` after you finish configuring your server. \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 853ad98..9f798b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,6 +13,7 @@ services: - vaultwarden:/data networks: - vaultwarden + read_only: true security_opt: - no-new-privileges:true cap_drop: @@ -35,6 +36,7 @@ services: - LOG_FILE=/data/access.log networks: - vaultwarden + read_only: true security_opt: - no-new-privileges:true cap_drop: