{$DOMAIN}:443 { log { level INFO output file {$LOG_FILE} { roll_size 10MB roll_keep 10 } } # Use the ACME HTTP-01 challenge to get a cert for the configured domain. tls {$EMAIL} # This setting may have compatibility issues with some browsers # (e.g., attachment downloading on Firefox). Try disabling this # if you encounter issues. encode gzip # Uncomment if you want to block access to /admin #@blocked { # path /admin /admin/* #} #respond @blocked 403 # Notifications redirected to the WebSocket server reverse_proxy /notifications/hub vaultwarden:3012 # Proxy everything else to Rocket reverse_proxy vaultwarden:8080 { # Send the true remote IP to Rocket, so that vaultwarden can put this in the # log, so that fail2ban can ban the correct IP. header_up X-Real-IP {remote_host} header_down Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" header_down +Permissions-Policy "hid=(), idle-detection=(), interest-cohort=(), serial=()" header_down +Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'" header_down X-XSS-Protection "0" header_down Cross-Origin-Opener-Policy same-origin header_down Cross-Origin-Resource-Policy : same-origin } }