添加 siyuan certd vaultwarden

2026-04-07 16:03:47 +08:00
parent 3b01ca8ed3
commit 41a586b97b
25 changed files with 2894 additions and 27 deletions
--- a/vaultwarden/nginx/vaultwarden.conf
+++ b/vaultwarden/nginx/vaultwarden.conf
@@ -0,0 +1,78 @@
+# WebSocket 连接升级映射
+# 有 Upgrade 头时发送 "upgrade"，否则发送空字符串（保持 keepalive）
+# 参考: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      "";
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name __DOMAIN__;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name __DOMAIN__;
+
+    # SSL 证书
+    ssl_certificate     /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
+
+    # SSL 参数
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # 安全头
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Referrer-Policy "same-origin" always;
+
+    # 上传大小限制（附件上传）
+    client_max_body_size 525M;
+
+    # 反向代理到 Vaultwarden
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket 支持（Vaultwarden 1.29+ 在同一端口）
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # 超时设置
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # 管理员面板（可选：限制访问 IP）
+    # location /admin {
+    #     allow 你的IP;
+    #     deny all;
+    #     proxy_pass http://127.0.0.1:8080;
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    # }
+}