server { listen 443 ssl http2; server_name {{ bitwarden_public_url | urlsplit('hostname') }}; include /etc/nginx/ansible_conf.d/acme.inc; {% if bitwarden_cert_path is defined and bitwarden_key_path is defined %} ssl_certificate {{ bitwarden_cert_path }}; ssl_certificate_key {{ bitwarden_key_path }}; {% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %} ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem; {% elif bitwarden_letsencrypt_cert is string %} ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem; {% endif %} root {{ bitwarden_root_dir }}/web-vault; client_max_body_size 512M; if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) { return 405; } location /notifications/hub { proxy_pass http://localhost:{{ bitwarden_ws_port }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_pass http://localhost:{{ bitwarden_http_port }}; } location @proxy { proxy_pass http://localhost:{{ bitwarden_http_port }}; } location / { try_files $uri $uri/index.html @proxy; } add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "$hsts_header"; # Send info about the original request to the backend proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for"; proxy_set_header X-Real-IP "$remote_addr"; proxy_set_header X-Forwarded-Proto "$scheme"; proxy_set_header X-Forwarded-Host "$host"; proxy_set_header Host "$host"; # Set the timeout to read responses from the backend proxy_read_timeout 60s; # Enable Keep Alive to the backend proxy_socket_keepalive on; # Disable buffering large files proxy_max_temp_file_size 5m; allow 127.0.0.1; {% for ip in bitwarden_web_src_ip %} allow {{ ip }}; {% endfor %} deny all; }