From 4b66b6e7b63631d6b39ba26a6b063d10e01a0466 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Thu, 15 Sep 2022 23:58:51 -0400
Subject: [PATCH] /admin configurations

Signed-off-by: Tommy <contact@tommytran.io>
---
 Caddyfile          | 22 ++++++++++++++--------
 README.md          |  3 ++-
 docker-compose.yml |  2 ++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 66bda8e..3b2a2aa 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -15,18 +15,24 @@
   # if you encounter issues.
   encode gzip
 
+  # Uncomment if you want to block access to /admin
+  #@blocked {
+  #  path /admin /admin/*
+  #}
+  #respond @blocked 403
+
   # Notifications redirected to the WebSocket server
   reverse_proxy /notifications/hub vaultwarden:3012
 
   # Proxy everything else to Rocket
   reverse_proxy vaultwarden:80 {
-       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
-       # log, so that fail2ban can ban the correct IP.
-       header_up X-Real-IP {remote_host}
-       header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
-       header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"
-       header_down Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'"
-       header_down X-XSS-Protection "0"
-       header_down Expect-CT: "enforce, max-age=63072000"
+      # Send the true remote IP to Rocket, so that vaultwarden can put this in the
+      # log, so that fail2ban can ban the correct IP.
+      header_up X-Real-IP {remote_host}
+      header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+      header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"
+      header_down Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/https://app.anonaddy.com/api/ https://api.fastmail.com/; object-src 'self' blob:; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://*; block-all-mixed-content; base-uri 'none'"
+      header_down X-XSS-Protection "0"
+      header_down Expect-CT: "enforce, max-age=63072000"
   }
 }
\ No newline at end of file
diff --git a/README.md b/README.md
index c4f076e..bbdb253 100644
--- a/README.md
+++ b/README.md
@@ -2,4 +2,5 @@
 Vaultwarden Docker-Compose
 
 1. Update `docker-compose.yml`
-2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
\ No newline at end of file
+2. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
+3. Uncomment the approprieate lines in `Caddyfile` to block access to `/admin` after you finish configuring your server.
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 853ad98..9f798b7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,6 +13,7 @@ services:
       - vaultwarden:/data
     networks:
       - vaultwarden
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
@@ -35,6 +36,7 @@ services:
       - LOG_FILE=/data/access.log
     networks:
       - vaultwarden
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop: