1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-26 12:55:17 +01:00
bitwarden-server/util/Setup/Templates/NginxConfig.hbs

184 lines
4.5 KiB
Handlebars
Raw Permalink Normal View History

2018-09-17 21:00:29 +02:00
#######################################################################
# WARNING: This file is generated. Do not make changes to this file. #
# They will be overwritten on update. You can manage various settings #
# used in this file from the ./bwdata/config.yml file for your #
# installation. #
#######################################################################
2018-08-30 17:35:44 +02:00
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name {{{Domain}}};
{{#if Ssl}}
return 301 {{{Url}}}$request_uri;
}
server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name {{{Domain}}};
ssl_certificate {{{CertificatePath}}};
ssl_certificate_key {{{KeyPath}}};
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
{{#if DiffieHellmanPath}}
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam {{{DiffieHellmanPath}}};
{{/if}}
ssl_protocols {{{SslProtocols}}};
2018-08-30 17:35:44 +02:00
ssl_ciphers "{{{SslCiphers}}}";
# Enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
{{#if CaPath}}
# OCSP Stapling ---
# Fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {{{CaPath}}};
2019-08-05 13:36:31 +02:00
resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
2018-08-30 17:35:44 +02:00
{{/if}}
2018-08-31 18:55:54 +02:00
include /etc/nginx/security-headers-ssl.conf;
2018-08-30 17:35:44 +02:00
{{/if}}
2018-08-31 23:02:49 +02:00
include /etc/nginx/security-headers.conf;
2019-04-26 18:26:54 +02:00
{{#if RealIps}}
{{#each RealIps}}
2019-05-16 04:11:22 +02:00
set_real_ip_from {{{this}}};
2019-04-26 18:26:54 +02:00
{{/each}}
2019-04-28 05:13:14 +02:00
real_ip_header X-Forwarded-For;
real_ip_recursive on;
2019-04-26 18:26:54 +02:00
{{/if}}
2018-08-30 17:35:44 +02:00
location / {
proxy_pass http://web:5000/;
2018-08-31 18:55:54 +02:00
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
2018-08-31 23:02:49 +02:00
include /etc/nginx/security-headers.conf;
2018-08-30 17:35:44 +02:00
add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";
2018-09-01 04:37:49 +02:00
add_header X-Frame-Options SAMEORIGIN;
2019-01-17 22:45:53 +01:00
add_header X-Robots-Tag "noindex, nofollow";
2018-08-30 17:35:44 +02:00
}
2019-07-26 18:43:06 +02:00
location /alive {
return 200 'alive';
add_header Content-Type text/plain;
}
2018-08-30 17:35:44 +02:00
location = /app-id.json {
proxy_pass http://web:5000/app-id.json;
2018-08-31 18:55:54 +02:00
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
2018-08-31 23:02:49 +02:00
include /etc/nginx/security-headers.conf;
2018-08-30 17:35:44 +02:00
proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type;
}
2018-08-31 18:16:36 +02:00
location = /duo-connector.html {
proxy_pass http://web:5000/duo-connector.html;
}
2021-03-22 23:21:43 +01:00
location = /webauthn-connector.html {
proxy_pass http://web:5000/webauthn-connector.html;
}
location = /webauthn-fallback-connector.html {
proxy_pass http://web:5000/webauthn-fallback-connector.html;
}
2020-09-01 18:44:45 +02:00
location = /sso-connector.html {
proxy_pass http://web:5000/sso-connector.html;
}
{{#if Captcha}}
location = /captcha-connector.html {
proxy_pass http://web:5000/captcha-connector.html;
}
[EC-261] SCIM (#2105) * scim project stub * some scim models and v2 controllers * implement some v2 scim endpoints * fix spacing * api key auth * EC-261 - SCIM Org API Key and connection type config * EC-261 - Fix lint errors/formatting * updates for okta implementation testing * fix var ref * updates from testing with Okta * implement scim context via provider parsing * support single and list of ids for add/remove groups * log ops not handled * touch up scim context * group list filtering * EC-261 - Additional SCIM provider types * EC-265 - UseScim flag and license update * EC-265 - SCIM provider type of default (0) * EC-265 - Add Scim URL and update connection validation * EC-265 - Model validation and cleanup for SCIM keys * implement scim org connection * EC-265 - Ensure ServiceUrl is not persisted to DB * EC-265 - Exclude provider type from DB if not configured * EC-261 - EF Migrations for SCIM * add docker builds for scim * EC-261 - Fix failing permissions tests * EC-261 - Fix unit tests and pgsql migrations * Formatting fixes from linter * EC-265 - Remove service URL from scim config * EC-265 - Fix unit tests, removed wayward validation * EC-265 - Require self-hosted for billing sync org conn * EC-265 - Fix formatting issues - whitespace * EC-261 - PR feedback and cleanup * scim constants rename * no scim settings right now * update project name * delete package lock * update appsettings configs for scim * use default scim provider for context Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
2022-07-14 21:58:48 +02:00
location = /captcha-mobile-connector.html {
proxy_pass http://web:5000/captcha-mobile-connector.html;
}
{{/if}}
2018-08-30 17:35:44 +02:00
location /attachments/ {
proxy_pass http://attachments:5000/;
}
location /api/ {
proxy_pass http://api:5000/;
}
location /icons/ {
proxy_pass http://icons:5000/;
}
location /notifications/ {
proxy_pass http://notifications:5000/;
}
location /notifications/hub {
proxy_pass http://notifications:5000/hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
location /notifications/anonymous-hub {
proxy_pass http://notifications:5000/anonymous-hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
location /events/ {
proxy_pass http://events:5000/;
}
2020-08-28 19:44:50 +02:00
location /sso {
proxy_pass http://sso:5000;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
}
2020-08-28 19:44:01 +02:00
location /identity {
proxy_pass http://identity:5000;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
}
2018-08-30 17:35:44 +02:00
location /admin {
proxy_pass http://admin:5000;
2018-09-01 04:37:49 +02:00
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
2018-08-30 17:35:44 +02:00
}
{{#if EnableKeyConnector}}
location /key-connector/ {
proxy_pass http://key-connector:5000/;
}
{{/if}}
[EC-261] SCIM (#2105) * scim project stub * some scim models and v2 controllers * implement some v2 scim endpoints * fix spacing * api key auth * EC-261 - SCIM Org API Key and connection type config * EC-261 - Fix lint errors/formatting * updates for okta implementation testing * fix var ref * updates from testing with Okta * implement scim context via provider parsing * support single and list of ids for add/remove groups * log ops not handled * touch up scim context * group list filtering * EC-261 - Additional SCIM provider types * EC-265 - UseScim flag and license update * EC-265 - SCIM provider type of default (0) * EC-265 - Add Scim URL and update connection validation * EC-265 - Model validation and cleanup for SCIM keys * implement scim org connection * EC-265 - Ensure ServiceUrl is not persisted to DB * EC-265 - Exclude provider type from DB if not configured * EC-261 - EF Migrations for SCIM * add docker builds for scim * EC-261 - Fix failing permissions tests * EC-261 - Fix unit tests and pgsql migrations * Formatting fixes from linter * EC-265 - Remove service URL from scim config * EC-265 - Fix unit tests, removed wayward validation * EC-265 - Require self-hosted for billing sync org conn * EC-265 - Fix formatting issues - whitespace * EC-261 - PR feedback and cleanup * scim constants rename * no scim settings right now * update project name * delete package lock * update appsettings configs for scim * use default scim provider for context Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
2022-07-14 21:58:48 +02:00
{{#if EnableScim}}
location /scim/ {
proxy_pass http://scim:5000/;
}
{{/if}}
2018-08-30 17:35:44 +02:00
}