mirror of
https://github.com/aliasvault/aliasvault.git
synced 2026-05-17 21:05:48 -04:00
176 lines
6.1 KiB
Plaintext
176 lines
6.1 KiB
Plaintext
# This is the Nginx configuration file for the AliasVault reverse-proxy container.
|
|
# which exposes all AliasVault services via 443 (HTTPS) with a self-signed or Let's Encrypt certificate.
|
|
# It also redirects all non-ACME challenge requests from HTTP to HTTPS.
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
# Placeholder replaced at container startup by entrypoint.sh based on MAX_UPLOAD_SIZE_MB (default 100).
|
|
client_max_body_size __MAX_UPLOAD_SIZE__M;
|
|
|
|
upstream client {
|
|
server client:3000 max_fails=1 fail_timeout=5s;
|
|
}
|
|
|
|
upstream api {
|
|
server api:3001 max_fails=1 fail_timeout=5s;
|
|
}
|
|
|
|
upstream admin {
|
|
server admin:3002 max_fails=1 fail_timeout=5s;
|
|
}
|
|
|
|
# Preserve any existing X-Forwarded-* headers, this is relevant if AliasVault
|
|
# is running behind another reverse proxy. The set_real_ip_from directives
|
|
# are rendered by entrypoint.sh from TRUSTED_PROXIES (default: RFC1918).
|
|
__TRUSTED_PROXIES__
|
|
real_ip_header X-Forwarded-For;
|
|
real_ip_recursive on;
|
|
|
|
# /admin IP allowlist. Rules rendered by entrypoint.sh from ADMIN_IP_ALLOWLIST:
|
|
# empty -> "default 0;" (everyone allowed); otherwise "default 1;" plus an
|
|
# allow rule per CIDR. When $admin_block is 1, the /admin location quietly
|
|
# routes the request to the client app via @admin_fallback.
|
|
geo $admin_block {
|
|
__ADMIN_IP_GEO_RULES__
|
|
}
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# Enable gzip compression, which reduces the amount of data that needs to be transferred
|
|
# to speed up WASM load times.
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
# Handle ACME challenge for Let's Encrypt certificate validation
|
|
location /.well-known/acme-challenge/ {
|
|
allow all;
|
|
root /var/www/certbot;
|
|
try_files $uri =404;
|
|
default_type "text/plain";
|
|
add_header Cache-Control "no-cache";
|
|
break;
|
|
}
|
|
|
|
# Redirect all other HTTP traffic to HTTPS
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name _;
|
|
|
|
# Include the appropriate SSL certificate configuration generated
|
|
# by the entrypoint script.
|
|
include /etc/nginx/ssl.conf;
|
|
|
|
# Security headers
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Cross-Origin-Resource-Policy "same-origin" always;
|
|
add_header Content-Security-Policy "frame-ancestors 'self'" always;
|
|
|
|
# Root for static files
|
|
root /usr/share/nginx/html;
|
|
|
|
# Error page handler location (internal use only)
|
|
location = /status.html {
|
|
internal;
|
|
try_files /status.html =404;
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
|
add_header Pragma "no-cache";
|
|
add_header Expires "0";
|
|
}
|
|
|
|
# Admin interface
|
|
location /admin {
|
|
# If the IP allowlist is set and this client isn't allowed, fall through
|
|
# to the client app instead of revealing that /admin exists. The 418 is
|
|
# an internal-only signal caught by the error_page handler below.
|
|
error_page 418 = @admin_fallback;
|
|
if ($admin_block) {
|
|
return 418;
|
|
}
|
|
|
|
proxy_pass http://admin;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Prefix /admin/;
|
|
|
|
# Rewrite HTTP redirects to HTTPS
|
|
proxy_redirect http:// https://;
|
|
|
|
# Add WebSocket support for Blazor server
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_read_timeout 86400;
|
|
|
|
# Show status page if admin is down
|
|
proxy_intercept_errors on;
|
|
error_page 502 503 504 =503 /status.html;
|
|
}
|
|
|
|
# API endpoints
|
|
location /api {
|
|
proxy_pass http://api;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# Show status page if api is down
|
|
proxy_intercept_errors on;
|
|
error_page 502 503 504 =503 /status.html;
|
|
}
|
|
|
|
# Client app (root path)
|
|
location / {
|
|
proxy_pass http://client;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# Rewrite HTTP redirects to HTTPS
|
|
proxy_redirect http:// https://;
|
|
|
|
# Show status page if client is down
|
|
proxy_intercept_errors on;
|
|
error_page 502 503 504 =503 /status.html;
|
|
}
|
|
|
|
# Internal-only fallback for /admin when the client IP isn't allowlisted.
|
|
# Mirrors `location /` so the response is indistinguishable from any other
|
|
# client-app request.
|
|
location @admin_fallback {
|
|
proxy_pass http://client;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_redirect http:// https://;
|
|
|
|
proxy_intercept_errors on;
|
|
error_page 502 503 504 =503 /status.html;
|
|
}
|
|
}
|
|
}
|