# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 128k;
  server 127.0.0.1:5080;
  keepalive 2;
}

# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name vault.forsen-cock.dedyn.io;

    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    listen [::]:443 ssl;
    server_name vault.forsen-cock.dedyn.io;

    client_max_body_size 525M;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    # If you use Cloudflare proxying, replace $remote_addr with $http_cf_connecting_ip
    # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#nginx-1
    # alternatively use ngx_http_realip_module
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Proxy settings for HTTP API and web vault
    location / {
        proxy_pass http://vaultwarden-default;  # Vaultwarden's internal HTTPS port
    }

    location /admin {
        allow 127.0.0.1;
        allow 192.168.0.0/24;
        allow 91.245.123.18;
        deny all;
        proxy_pass http://vaultwarden-default;
    }

    ssl_certificate /etc/letsencrypt/live/vault.forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/vault.forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
}