more config on nginx server

util/Nginx/.dockerignore

@@ -1,3 +1,5 @@
 *
 !entrypoint.sh
 !nginx.conf
+!proxy.conf
+!mime.types

util/Nginx/Dockerfile

@@ -1,7 +1,8 @@
 FROM nginx:stable
 
-RUN rm /etc/nginx/nginx.conf
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx.conf /etc/nginx
+COPY proxy.conf /etc/nginx
+COPY mime.types /etc/nginx
 
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh

util/Nginx/mime.types

@@ -0,0 +1,138 @@
+types {
+
+  # Data interchange
+
+    application/atom+xml                  atom;
+    application/json                      json map topojson;
+    application/ld+json                   jsonld;
+    application/rss+xml                   rss;
+    application/vnd.geo+json              geojson;
+    application/xml                       rdf xml;
+
+
+  # JavaScript
+
+    # Normalize to standard type.
+    # https://tools.ietf.org/html/rfc4329#section-7.2
+    application/javascript                js;
+
+
+  # Manifest files
+
+    application/manifest+json             webmanifest;
+    application/x-web-app-manifest+json   webapp;
+    text/cache-manifest                   appcache;
+
+
+  # Media files
+
+    audio/midi                            mid midi kar;
+    audio/mp4                             aac f4a f4b m4a;
+    audio/mpeg                            mp3;
+    audio/ogg                             oga ogg opus;
+    audio/x-realaudio                     ra;
+    audio/x-wav                           wav;
+    image/bmp                             bmp;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    image/jxr                             jxr hdp wdp;
+    image/png                             png;
+    image/svg+xml                         svg svgz;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/webp                            webp;
+    image/x-jng                           jng;
+    video/3gpp                            3gp 3gpp;
+    video/mp4                             f4p f4v m4v mp4;
+    video/mpeg                            mpeg mpg;
+    video/ogg                             ogv;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asf asx;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+
+    # Serving `.ico` image files with a different media type
+    # prevents Internet Explorer from displaying then as images:
+    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
+
+    image/x-icon                          cur ico;
+
+
+  # Microsoft Office
+
+    application/msword                                                         doc;
+    application/vnd.ms-excel                                                   xls;
+    application/vnd.ms-powerpoint                                              ppt;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+
+  # Web fonts
+
+    application/font-woff                 woff;
+    application/font-woff2                woff2;
+    application/vnd.ms-fontobject         eot;
+
+    # Browsers usually ignore the font media types and simply sniff
+    # the bytes to figure out the font type.
+    # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
+    #
+    # However, Blink and WebKit based browsers will show a warning
+    # in the console if the following font types are served with any
+    # other media types.
+
+    application/x-font-ttf                ttc ttf;
+    font/opentype                         otf;
+
+
+  # Other
+
+    application/java-archive              ear jar war;
+    application/mac-binhex40              hqx;
+    application/octet-stream              bin deb dll dmg exe img iso msi msm msp safariextz;
+    application/pdf                       pdf;
+    application/postscript                ai eps ps;
+    application/rtf                       rtf;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/vnd.wap.wmlc              wmlc;
+    application/x-7z-compressed           7z;
+    application/x-bb-appworld             bbaw;
+    application/x-bittorrent              torrent;
+    application/x-chrome-extension        crx;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-opera-extension         oex;
+    application/x-perl                    pl pm;
+    application/x-pilot                   pdb prc;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            crt der pem;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xslt+xml                  xsl;
+    application/zip                       zip;
+    text/css                              css;
+    text/csv                              csv;
+    text/html                             htm html shtml;
+    text/markdown                         md;
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vcard                            vcard vcf;
+    text/vnd.rim.location.xloc            xloc;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/vtt                              vtt;
+    text/x-component                      htc;
+
+}

util/Nginx/nginx.conf

@@ -30,6 +30,7 @@ error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
 http {
+  include       proxy.conf;
 
   # Hide nginx version information.
   server_tokens off;
@@ -38,8 +39,17 @@ http {
   include       mime.types;
   default_type  application/octet-stream;
 
-  # Update charset_types due to updated mime.types
-  charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
+  # Update charset_types to match updated mime.types.
+  # text/html is always included by charset module.
+  # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
+  charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    application/javascript
+    application/json
+    application/rss+xml
+    application/xml;
 
   # Format to use in log files
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

util/Nginx/proxy.conf

@@ -0,0 +1,12 @@
+proxy_redirect          off;
+proxy_set_header        Host              $host;
+proxy_set_header        X-Real-IP         $remote_addr;
+proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header        X-Url-Scheme      $scheme;
+proxy_set_header        X-Forwarded-Proto $scheme;
+client_max_body_size    105m;
+client_body_buffer_size 128k;
+proxy_connect_timeout   90;
+proxy_send_timeout      90;
+proxy_read_timeout      90;
+proxy_buffers           32 4k;

util/Setup/Program.cs

@@ -249,122 +249,97 @@ namespace Setup
             using(var sw = File.CreateText("/bitwarden/nginx/default.conf"))
             {
                 sw.WriteLine($@"server {{
-    listen 80 default_server;
-    listen [::]:80 default_server;
-    server_name {_domain};");
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name {_domain};");
 
                 if(_ssl)
                 {
-                    sw.WriteLine($@"    return 301 https://$server_name$request_uri;
+                    sw.WriteLine($@"  return 301 https://$server_name$request_uri;
 }}
 
 server {{
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name {_domain};
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {_domain};
 
-    ssl_certificate {sslPath}/{certFile};
-    ssl_certificate_key {sslPath}/{keyFile};
-    
-    ssl_session_timeout 30m;
-    ssl_session_cache shared:SSL:20m;
-    ssl_session_tickets off;");
+  ssl_certificate {sslPath}/{certFile};
+  ssl_certificate_key {sslPath}/{keyFile};
+
+  ssl_session_timeout 30m;
+  ssl_session_cache shared:SSL:20m;
+  ssl_session_tickets off;");
 
                     if(dh)
                     {
                         sw.WriteLine($@"
-    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    ssl_dhparam {sslPath}/dhparam.pem;");
+  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+  ssl_dhparam {sslPath}/dhparam.pem;");
                     }
 
                     sw.WriteLine($@"
-    # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
-    ssl_ciphers ""{sslCiphers}"";
-    # enables server-side protection from BEAST attacks
-    ssl_prefer_server_ciphers on;");
+  # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
+  ssl_ciphers ""{sslCiphers}"";
+  # enables server-side protection from BEAST attacks
+  ssl_prefer_server_ciphers on;");
 
                     if(trusted)
                     {
                         sw.WriteLine($@"
-    # OCSP Stapling ---
-    # fetch OCSP records from URL in ssl_certificate and cache them
-    ssl_stapling on;
-    ssl_stapling_verify on;
+  # OCSP Stapling ---
+  # fetch OCSP records from URL in ssl_certificate and cache them
+  ssl_stapling on;
+  ssl_stapling_verify on;
 
-    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate {sslPath}/{caFile};
+  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+  ssl_trusted_certificate {sslPath}/{caFile};
 
-    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
+  resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
 
-    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
-    add_header Strict-Transport-Security max-age=15768000;");
+  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
+  add_header Strict-Transport-Security max-age=15768000;");
                     }
                 }
 
                 sw.WriteLine($@"
-    # X-Frame-Options is to prevent from clickJacking attack
-    add_header X-Frame-Options SAMEORIGIN;
+  # X-Frame-Options is to prevent from clickJacking attack
+  add_header X-Frame-Options SAMEORIGIN;
 
-    # disable content-type sniffing on some browsers.
-    add_header X-Content-Type-Options nosniff;
+  # disable content-type sniffing on some browsers.
+  add_header X-Content-Type-Options nosniff;
 
-    # This header enables the Cross-site scripting (XSS) filter
-    add_header X-XSS-Protection ""1; mode=block"";
+  # This header enables the Cross-site scripting (XSS) filter
+  add_header X-XSS-Protection ""1; mode=block"";
 
-    # This header controls what referrer information is shared
-    add_header Referrer-Policy same-origin;
+  # This header controls what referrer information is shared
+  add_header Referrer-Policy same-origin;
 
-    # Content-Security-Policy is set via meta tag on the website so it is not included here");
+  # Content-Security-Policy is set via meta tag on the website so it is not included here");
 
                 sw.WriteLine($@"
-    location / {{
-        proxy_pass http://web/;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Url-Scheme $scheme;
-        proxy_redirect off;
-    }}
+  location / {{
+    proxy_pass http://web/;
+  }}
 
-    location = /app-id.json {{
-        proxy_pass http://web/app-id.json;
-        proxy_hide_header Content-Type;
-        add_header Content-Type $fido_content_type;
-        proxy_redirect off;
-    }}
+  location = /app-id.json {{
+    proxy_pass http://web/app-id.json;
+    proxy_hide_header Content-Type;
+    add_header Content-Type $fido_content_type;
+  }}
 
-    location /attachments/ {{
-        proxy_pass http://attachments/;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Url-Scheme $scheme;
-        proxy_redirect off;
-    }}
+  location /attachments/ {{
+    proxy_pass http://attachments/;
+  }}
 
-    location /api/ {{
-        proxy_pass http://api/;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Url-Scheme $scheme;
-        proxy_redirect off;
-    }}
+  location /api/ {{
+    proxy_pass http://api/;
+  }}
 
-    location /identity/ {{
-        proxy_pass http://identity/;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Url-Scheme $scheme;
-        proxy_redirect off;
-    }}
+  location /identity/ {{
+    proxy_pass http://identity/;
+  }}
 }}");
             }
         }