mirror of
https://github.com/bitwarden/server.git
synced 2024-12-22 16:57:36 +01:00
more config on nginx server
This commit is contained in:
parent
e7f713a805
commit
3dd44ce4de
@ -1,3 +1,5 @@
|
||||
*
|
||||
!entrypoint.sh
|
||||
!nginx.conf
|
||||
!proxy.conf
|
||||
!mime.types
|
||||
|
@ -1,7 +1,8 @@
|
||||
FROM nginx:stable
|
||||
|
||||
RUN rm /etc/nginx/nginx.conf
|
||||
COPY nginx.conf /etc/nginx/nginx.conf
|
||||
COPY nginx.conf /etc/nginx
|
||||
COPY proxy.conf /etc/nginx
|
||||
COPY mime.types /etc/nginx
|
||||
|
||||
COPY entrypoint.sh /
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
138
util/Nginx/mime.types
Normal file
138
util/Nginx/mime.types
Normal file
@ -0,0 +1,138 @@
|
||||
types {
|
||||
|
||||
# Data interchange
|
||||
|
||||
application/atom+xml atom;
|
||||
application/json json map topojson;
|
||||
application/ld+json jsonld;
|
||||
application/rss+xml rss;
|
||||
application/vnd.geo+json geojson;
|
||||
application/xml rdf xml;
|
||||
|
||||
|
||||
# JavaScript
|
||||
|
||||
# Normalize to standard type.
|
||||
# https://tools.ietf.org/html/rfc4329#section-7.2
|
||||
application/javascript js;
|
||||
|
||||
|
||||
# Manifest files
|
||||
|
||||
application/manifest+json webmanifest;
|
||||
application/x-web-app-manifest+json webapp;
|
||||
text/cache-manifest appcache;
|
||||
|
||||
|
||||
# Media files
|
||||
|
||||
audio/midi mid midi kar;
|
||||
audio/mp4 aac f4a f4b m4a;
|
||||
audio/mpeg mp3;
|
||||
audio/ogg oga ogg opus;
|
||||
audio/x-realaudio ra;
|
||||
audio/x-wav wav;
|
||||
image/bmp bmp;
|
||||
image/gif gif;
|
||||
image/jpeg jpeg jpg;
|
||||
image/jxr jxr hdp wdp;
|
||||
image/png png;
|
||||
image/svg+xml svg svgz;
|
||||
image/tiff tif tiff;
|
||||
image/vnd.wap.wbmp wbmp;
|
||||
image/webp webp;
|
||||
image/x-jng jng;
|
||||
video/3gpp 3gp 3gpp;
|
||||
video/mp4 f4p f4v m4v mp4;
|
||||
video/mpeg mpeg mpg;
|
||||
video/ogg ogv;
|
||||
video/quicktime mov;
|
||||
video/webm webm;
|
||||
video/x-flv flv;
|
||||
video/x-mng mng;
|
||||
video/x-ms-asf asf asx;
|
||||
video/x-ms-wmv wmv;
|
||||
video/x-msvideo avi;
|
||||
|
||||
# Serving `.ico` image files with a different media type
|
||||
# prevents Internet Explorer from displaying then as images:
|
||||
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
|
||||
|
||||
image/x-icon cur ico;
|
||||
|
||||
|
||||
# Microsoft Office
|
||||
|
||||
application/msword doc;
|
||||
application/vnd.ms-excel xls;
|
||||
application/vnd.ms-powerpoint ppt;
|
||||
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
|
||||
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
|
||||
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
|
||||
|
||||
|
||||
# Web fonts
|
||||
|
||||
application/font-woff woff;
|
||||
application/font-woff2 woff2;
|
||||
application/vnd.ms-fontobject eot;
|
||||
|
||||
# Browsers usually ignore the font media types and simply sniff
|
||||
# the bytes to figure out the font type.
|
||||
# https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
|
||||
#
|
||||
# However, Blink and WebKit based browsers will show a warning
|
||||
# in the console if the following font types are served with any
|
||||
# other media types.
|
||||
|
||||
application/x-font-ttf ttc ttf;
|
||||
font/opentype otf;
|
||||
|
||||
|
||||
# Other
|
||||
|
||||
application/java-archive ear jar war;
|
||||
application/mac-binhex40 hqx;
|
||||
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
|
||||
application/pdf pdf;
|
||||
application/postscript ai eps ps;
|
||||
application/rtf rtf;
|
||||
application/vnd.google-earth.kml+xml kml;
|
||||
application/vnd.google-earth.kmz kmz;
|
||||
application/vnd.wap.wmlc wmlc;
|
||||
application/x-7z-compressed 7z;
|
||||
application/x-bb-appworld bbaw;
|
||||
application/x-bittorrent torrent;
|
||||
application/x-chrome-extension crx;
|
||||
application/x-cocoa cco;
|
||||
application/x-java-archive-diff jardiff;
|
||||
application/x-java-jnlp-file jnlp;
|
||||
application/x-makeself run;
|
||||
application/x-opera-extension oex;
|
||||
application/x-perl pl pm;
|
||||
application/x-pilot pdb prc;
|
||||
application/x-rar-compressed rar;
|
||||
application/x-redhat-package-manager rpm;
|
||||
application/x-sea sea;
|
||||
application/x-shockwave-flash swf;
|
||||
application/x-stuffit sit;
|
||||
application/x-tcl tcl tk;
|
||||
application/x-x509-ca-cert crt der pem;
|
||||
application/x-xpinstall xpi;
|
||||
application/xhtml+xml xhtml;
|
||||
application/xslt+xml xsl;
|
||||
application/zip zip;
|
||||
text/css css;
|
||||
text/csv csv;
|
||||
text/html htm html shtml;
|
||||
text/markdown md;
|
||||
text/mathml mml;
|
||||
text/plain txt;
|
||||
text/vcard vcard vcf;
|
||||
text/vnd.rim.location.xloc xloc;
|
||||
text/vnd.sun.j2me.app-descriptor jad;
|
||||
text/vnd.wap.wml wml;
|
||||
text/vtt vtt;
|
||||
text/x-component htc;
|
||||
|
||||
}
|
@ -30,6 +30,7 @@ error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
http {
|
||||
include proxy.conf;
|
||||
|
||||
# Hide nginx version information.
|
||||
server_tokens off;
|
||||
@ -38,8 +39,17 @@ http {
|
||||
include mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Update charset_types due to updated mime.types
|
||||
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
|
||||
# Update charset_types to match updated mime.types.
|
||||
# text/html is always included by charset module.
|
||||
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
|
||||
charset_types
|
||||
text/css
|
||||
text/plain
|
||||
text/vnd.wap.wml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/xml;
|
||||
|
||||
# Format to use in log files
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
|
12
util/Nginx/proxy.conf
Normal file
12
util/Nginx/proxy.conf
Normal file
@ -0,0 +1,12 @@
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
client_max_body_size 105m;
|
||||
client_body_buffer_size 128k;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_send_timeout 90;
|
||||
proxy_read_timeout 90;
|
||||
proxy_buffers 32 4k;
|
@ -249,122 +249,97 @@ namespace Setup
|
||||
using(var sw = File.CreateText("/bitwarden/nginx/default.conf"))
|
||||
{
|
||||
sw.WriteLine($@"server {{
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name {_domain};");
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name {_domain};");
|
||||
|
||||
if(_ssl)
|
||||
{
|
||||
sw.WriteLine($@" return 301 https://$server_name$request_uri;
|
||||
sw.WriteLine($@" return 301 https://$server_name$request_uri;
|
||||
}}
|
||||
|
||||
server {{
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {_domain};
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {_domain};
|
||||
|
||||
ssl_certificate {sslPath}/{certFile};
|
||||
ssl_certificate_key {sslPath}/{keyFile};
|
||||
|
||||
ssl_session_timeout 30m;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_tickets off;");
|
||||
ssl_certificate {sslPath}/{certFile};
|
||||
ssl_certificate_key {sslPath}/{keyFile};
|
||||
|
||||
ssl_session_timeout 30m;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_tickets off;");
|
||||
|
||||
if(dh)
|
||||
{
|
||||
sw.WriteLine($@"
|
||||
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
||||
ssl_dhparam {sslPath}/dhparam.pem;");
|
||||
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
||||
ssl_dhparam {sslPath}/dhparam.pem;");
|
||||
}
|
||||
|
||||
sw.WriteLine($@"
|
||||
# SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
|
||||
ssl_ciphers ""{sslCiphers}"";
|
||||
# enables server-side protection from BEAST attacks
|
||||
ssl_prefer_server_ciphers on;");
|
||||
# SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
|
||||
ssl_ciphers ""{sslCiphers}"";
|
||||
# enables server-side protection from BEAST attacks
|
||||
ssl_prefer_server_ciphers on;");
|
||||
|
||||
if(trusted)
|
||||
{
|
||||
sw.WriteLine($@"
|
||||
# OCSP Stapling ---
|
||||
# fetch OCSP records from URL in ssl_certificate and cache them
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
# OCSP Stapling ---
|
||||
# fetch OCSP records from URL in ssl_certificate and cache them
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
## verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate {sslPath}/{caFile};
|
||||
## verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate {sslPath}/{caFile};
|
||||
|
||||
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
|
||||
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
|
||||
|
||||
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
||||
add_header Strict-Transport-Security max-age=15768000;");
|
||||
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
||||
add_header Strict-Transport-Security max-age=15768000;");
|
||||
}
|
||||
}
|
||||
|
||||
sw.WriteLine($@"
|
||||
# X-Frame-Options is to prevent from clickJacking attack
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
# X-Frame-Options is to prevent from clickJacking attack
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
# disable content-type sniffing on some browsers.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
# disable content-type sniffing on some browsers.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# This header enables the Cross-site scripting (XSS) filter
|
||||
add_header X-XSS-Protection ""1; mode=block"";
|
||||
# This header enables the Cross-site scripting (XSS) filter
|
||||
add_header X-XSS-Protection ""1; mode=block"";
|
||||
|
||||
# This header controls what referrer information is shared
|
||||
add_header Referrer-Policy same-origin;
|
||||
# This header controls what referrer information is shared
|
||||
add_header Referrer-Policy same-origin;
|
||||
|
||||
# Content-Security-Policy is set via meta tag on the website so it is not included here");
|
||||
# Content-Security-Policy is set via meta tag on the website so it is not included here");
|
||||
|
||||
sw.WriteLine($@"
|
||||
location / {{
|
||||
proxy_pass http://web/;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
proxy_redirect off;
|
||||
}}
|
||||
location / {{
|
||||
proxy_pass http://web/;
|
||||
}}
|
||||
|
||||
location = /app-id.json {{
|
||||
proxy_pass http://web/app-id.json;
|
||||
proxy_hide_header Content-Type;
|
||||
add_header Content-Type $fido_content_type;
|
||||
proxy_redirect off;
|
||||
}}
|
||||
location = /app-id.json {{
|
||||
proxy_pass http://web/app-id.json;
|
||||
proxy_hide_header Content-Type;
|
||||
add_header Content-Type $fido_content_type;
|
||||
}}
|
||||
|
||||
location /attachments/ {{
|
||||
proxy_pass http://attachments/;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
proxy_redirect off;
|
||||
}}
|
||||
location /attachments/ {{
|
||||
proxy_pass http://attachments/;
|
||||
}}
|
||||
|
||||
location /api/ {{
|
||||
proxy_pass http://api/;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
proxy_redirect off;
|
||||
}}
|
||||
location /api/ {{
|
||||
proxy_pass http://api/;
|
||||
}}
|
||||
|
||||
location /identity/ {{
|
||||
proxy_pass http://identity/;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Url-Scheme $scheme;
|
||||
proxy_redirect off;
|
||||
}}
|
||||
location /identity/ {{
|
||||
proxy_pass http://identity/;
|
||||
}}
|
||||
}}");
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user