bitwarden-server/util/Setup/Templates/NginxConfig.hbs

#######################################################################
# WARNING: This file is generated. Do not make changes to this file.  #
# They will be overwritten on update. You can manage various settings #
# used in this file from the ./bwdata/config.yml file for your        #
# installation.                                                       #
#######################################################################

server {
  listen 8080 default_server;
  listen [::]:8080 default_server;
  server_name {{{Domain}}};
{{#if Ssl}}

  return 301 {{{Url}}}$request_uri;
}

server {
  listen 8443 ssl http2;
  listen [::]:8443 ssl http2;
  server_name {{{Domain}}};

  ssl_certificate {{{CertificatePath}}};
  ssl_certificate_key {{{KeyPath}}};
  ssl_session_timeout 30m;
  ssl_session_cache shared:SSL:20m;
  ssl_session_tickets off;
{{#if DiffieHellmanPath}}

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam {{{DiffieHellmanPath}}};
{{/if}}

  ssl_protocols {{{SslProtocols}}};
  ssl_ciphers "{{{SslCiphers}}}";
  # Enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;
{{#if CaPath}}

  # OCSP Stapling ---
  # Fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate {{{CaPath}}};
  resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
{{/if}}

  include /etc/nginx/security-headers-ssl.conf;
{{/if}}
  include /etc/nginx/security-headers.conf;
{{#if RealIps}}

{{#each RealIps}}
  set_real_ip_from {{{Value}}};
{{/each}}
{{/if}}

  location / {
    proxy_pass http://web:5000/;
{{#if Ssl}}
    include /etc/nginx/security-headers-ssl.conf;
{{/if}}
    include /etc/nginx/security-headers.conf;
    add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Robots-Tag "noindex, nofollow";
  }

  location = /app-id.json {
    proxy_pass http://web:5000/app-id.json;
{{#if Ssl}}
    include /etc/nginx/security-headers-ssl.conf;
{{/if}}
    include /etc/nginx/security-headers.conf;
    proxy_hide_header Content-Type;
    add_header Content-Type $fido_content_type;
  }

  location = /duo-connector.html {
    proxy_pass http://web:5000/duo-connector.html;
  }

  location = /u2f-connector.html {
    proxy_pass http://web:5000/u2f-connector.html;
  }

  location /attachments/ {
    proxy_pass http://attachments:5000/;
  }

  location /api/ {
    proxy_pass http://api:5000/;
  }

  location /identity/ {
    proxy_pass http://identity:5000/;
  }

  location /icons/ {
    proxy_pass http://icons:5000/;
  }

  location /notifications/ {
    proxy_pass http://notifications:5000/;
  }

  location /notifications/hub {
    proxy_pass http://notifications:5000/hub;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
  }

  location /admin {
    proxy_pass http://admin:5000;
{{#if Ssl}}
    include /etc/nginx/security-headers-ssl.conf;
{{/if}}
    include /etc/nginx/security-headers.conf;
    add_header X-Frame-Options SAMEORIGIN;
  }
}
added more info to warning 2018-09-17 21:00:29 +02:00			`#######################################################################`
			`# WARNING: This file is generated. Do not make changes to this file. #`
			`# They will be overwritten on update. You can manage various settings #`
			`# used in this file from the ./bwdata/config.yml file for your #`
			`# installation. #`
			`#######################################################################`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00
			`server {`
			`listen 8080 default_server;`
			`listen [::]:8080 default_server;`
			`server_name {{{Domain}}};`
			`{{#if Ssl}}`

			`return 301 {{{Url}}}$request_uri;`
			`}`

			`server {`
			`listen 8443 ssl http2;`
			`listen [::]:8443 ssl http2;`
			`server_name {{{Domain}}};`

			`ssl_certificate {{{CertificatePath}}};`
			`ssl_certificate_key {{{KeyPath}}};`
			`ssl_session_timeout 30m;`
			`ssl_session_cache shared:SSL:20m;`
			`ssl_session_tickets off;`
			`{{#if DiffieHellmanPath}}`

			`# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits`
			`ssl_dhparam {{{DiffieHellmanPath}}};`
			`{{/if}}`

allow configurable ssl protocols and ciphersuites 2018-08-31 18:11:44 +02:00			`ssl_protocols {{{SslProtocols}}};`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`ssl_ciphers "{{{SslCiphers}}}";`
			`# Enables server-side protection from BEAST attacks`
			`ssl_prefer_server_ciphers on;`
			`{{#if CaPath}}`

			`# OCSP Stapling ---`
			`# Fetch OCSP records from URL in ssl_certificate and cache them`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`# Verify chain of trust of OCSP response using Root CA and Intermediate certs`
			`ssl_trusted_certificate {{{CaPath}}};`
			`resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;`
			`{{/if}}`

include security headers 2018-08-31 18:55:54 +02:00			`include /etc/nginx/security-headers-ssl.conf;`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`{{/if}}`
reassign security headers 2018-08-31 23:02:49 +02:00			`include /etc/nginx/security-headers.conf;`
real ips config 2019-04-26 18:26:54 +02:00			`{{#if RealIps}}`

			`{{#each RealIps}}`
add semicolon 2019-04-26 18:44:44 +02:00			`set_real_ip_from {{{Value}}};`
real ips config 2019-04-26 18:26:54 +02:00			`{{/each}}`
			`{{/if}}`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00
			`location / {`
			`proxy_pass http://web:5000/;`
include security headers 2018-08-31 18:55:54 +02:00			`{{#if Ssl}}`
			`include /etc/nginx/security-headers-ssl.conf;`
			`{{/if}}`
reassign security headers 2018-08-31 23:02:49 +02:00			`include /etc/nginx/security-headers.conf;`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";`
add X-Frame-Options specifically 2018-09-01 04:37:49 +02:00			`add_header X-Frame-Options SAMEORIGIN;`
noindex,nofollow 2019-01-17 22:45:53 +01:00			`add_header X-Robots-Tag "noindex, nofollow";`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`}`

			`location = /app-id.json {`
			`proxy_pass http://web:5000/app-id.json;`
include security headers 2018-08-31 18:55:54 +02:00			`{{#if Ssl}}`
			`include /etc/nginx/security-headers-ssl.conf;`
			`{{/if}}`
reassign security headers 2018-08-31 23:02:49 +02:00			`include /etc/nginx/security-headers.conf;`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`proxy_hide_header Content-Type;`
			`add_header Content-Type $fido_content_type;`
			`}`

enabled X-Frame-Options header 2018-08-31 18:16:36 +02:00			`location = /duo-connector.html {`
			`proxy_pass http://web:5000/duo-connector.html;`
			`}`

			`location = /u2f-connector.html {`
			`proxy_pass http://web:5000/u2f-connector.html;`
			`}`

convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`location /attachments/ {`
			`proxy_pass http://attachments:5000/;`
			`}`

			`location /api/ {`
			`proxy_pass http://api:5000/;`
			`}`

			`location /identity/ {`
			`proxy_pass http://identity:5000/;`
			`}`

			`location /icons/ {`
			`proxy_pass http://icons:5000/;`
			`}`

			`location /notifications/ {`
			`proxy_pass http://notifications:5000/;`
			`}`

			`location /notifications/hub {`
			`proxy_pass http://notifications:5000/hub;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $http_connection;`
			`}`

			`location /admin {`
			`proxy_pass http://admin:5000;`
add X-Frame-Options specifically 2018-09-01 04:37:49 +02:00			`{{#if Ssl}}`
			`include /etc/nginx/security-headers-ssl.conf;`
			`{{/if}}`
			`include /etc/nginx/security-headers.conf;`
			`add_header X-Frame-Options SAMEORIGIN;`
convert setup to use config.yml 2018-08-30 17:35:44 +02:00			`}`
			`}`