diff --git a/docker-compose.yaml b/docker-compose.yaml index a29bfb6..2d122a2 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -61,6 +61,7 @@ services: - gitea - gpodder - memos + - bitwarden depends_on: - jellyfin - ollama-webui @@ -216,8 +217,7 @@ services: # env_file: # - bitwarden.env environment: - # DOMAIN: "https://bitwarden.loadingm.xyz" - DOMAIN: "http://localhost:8081" + DOMAIN: "https://bitwarden.loadingm.xyz" SMTP_HOST: mail SMTP_FROM: bitwarden@loadingm.xyz SMTP_SECURITY: off @@ -227,8 +227,6 @@ services: - mail image: vaultwarden/server:latest restart: always - # ports: - # - "127.0.0.1:8081:80" volumes: - /data/bitwarden:/data # calibre: diff --git a/nginx/sites-enabled/bitwarden b/nginx/sites-enabled/bitwarden new file mode 100644 index 0000000..ed59c61 --- /dev/null +++ b/nginx/sites-enabled/bitwarden @@ -0,0 +1,73 @@ +server { + listen 80; + listen [::]:80; + server_name bitwarden.loadingm.xyz; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # Uncomment to redirect HTTP to HTTPS + location / { + return 301 https://$host$request_uri; + } +} + +server { + # Nginx versions 1.25+ + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name bitwarden.loadingm.xyz; + + ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. + client_max_body_size 20M; + + ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; + # include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; + + # Security / XSS Mitigation Headers + add_header X-Content-Type-Options "nosniff"; + + # Permissions policy. May cause issues with some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + set $CSP "default-src https: data: blob:"; + set $CSP "$CSP; img-src 'self' https://* data:"; + set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:"; + set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:"; + set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:"; + set $CSP "$CSP; worker-src 'self' blob: data:"; + set $CSP "$CSP; connect-src 'self' data:"; + set $CSP "$CSP; object-src 'none' data:"; + set $CSP "$CSP; frame-ancestors 'self' data:"; + set $CSP "$CSP; font-src 'self' data:"; + add_header Content-Security-Policy $CSP; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + # Proxy main bitwarden traffic + proxy_pass http://bitwarden:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_hide_header Content-Security-Policy; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } +}