Hello !
For security reasons, and since I don’t use webvault much, I tried to limit access to webvault and the administration page to my local network only, but leaving the browser extensions functional from the outside.
Here is my configuration :
server {
listen 192.168.0.2:80;
listen 192.168.0.2:443 ssl http2;
server_name bitwardenrs.my-domain.com;
ssl_certificate /etc/letsencrypt/live/bitwardenrs.my-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bitwardenrs.my-domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bitwardenrs.my-domain.com/chain.pem;
if ($scheme = http) { return 301 https://bitwardenrs.my-domain.com$request_uri; }
# LOCAL
location / {
allow 192.168.0.0/24;
deny all;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
location /admin {
allow 192.168.0.0/24;
deny all;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
# NETWORK
location /notifications/hub {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8080;
}
location /api {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
location /identity {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
location /icons {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
location /sends { # / ! \ I will have to look for the right endpoint / ! \
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
}
}
[Q] Is this configuration correct ?