[NGINX] Limit access to the webvault to the local network, but allow browser extensions from the outside

Mihoko-Okayami · March 30, 2021, 3:46am

Hello !

For security reasons, and since I don’t use webvault much, I tried to limit access to webvault and the administration page to my local network only, but leaving the browser extensions functional from the outside.

Here is my configuration :

server {
    listen 192.168.0.2:80;
    listen 192.168.0.2:443 ssl http2;
    server_name bitwardenrs.my-domain.com;
    ssl_certificate /etc/letsencrypt/live/bitwardenrs.my-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/bitwardenrs.my-domain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/bitwardenrs.my-domain.com/chain.pem;
    if ($scheme = http) { return 301 https://bitwardenrs.my-domain.com$request_uri; }

    # LOCAL

    location / {
        allow 192.168.0.0/24;
        deny all;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }
    location /admin {
        allow 192.168.0.0/24;
        deny all;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }

    # NETWORK

    location /notifications/hub {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:8080;
    }
    location /api {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }
    location /identity {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }
    location /icons {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }
    location /sends { # / ! \ I will have to look for the right endpoint / ! \
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8080;
    }
}

[Q] Is this configuration correct ?

Topic		Replies	Views
Is it possible to allow http for the webvault for a specific network like my LAN? Help	6	1401	January 18, 2023
[SOLVED] Redirect all requests to the vault subdomain Third Party Help	2	1055	September 7, 2020
Preparing for upcoming Help	2	246	November 24, 2023
HAProxy Configuration Assistance Third Party Help	10	3194	February 11, 2023
Installation on Synology nas Third Party Help	0	564	November 16, 2022

[NGINX] Limit access to the webvault to the local network, but allow browser extensions from the outside

Related Topics