Bitwarden Unified Self-Host project (#2410)

docker-unified/confd/app-id.conf.tmpl

@@ -0,0 +1,15 @@
+{
+  "trustedFacets": [
+    {
+      "version": {
+        "major": 1,
+        "minor": 0
+      },
+      "ids": [
+        "{{ getenv "globalSettings__baseServiceUri__vault" "https://localhost" }}",
+        "ios:bundle-id:com.8bit.bitwarden",
+        "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI"
+      ]
+    }
+  ]
+}

docker-unified/confd/app-id.toml

@@ -0,0 +1,6 @@
+[template]
+src = "app-id.conf.tmpl"
+dest = "/app/Web/app-id.json"
+keys = [
+  "globalSettings__baseServiceUri__vault"
+]

docker-unified/confd/nginx-config.conf.tmpl

@@ -0,0 +1,144 @@
+server {
+  listen 80 default_server;
+  #listen [::]:80 default_server;
+  server_name {{ getenv "BW_DOMAIN" "localhost" }};
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+
+  return 301 https://{{ getenv "BW_DOMAIN" "localhost" }}$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  #listen [::]:443 ssl http2;
+  server_name {{ getenv "BW_DOMAIN" "localhost" }};
+
+  ssl_certificate /etc/bitwarden/{{ getenv "BW_SSL_CERT" "ssl.crt" }};
+  ssl_certificate_key /etc/bitwarden/{{ getenv "BW_SSL_KEY" "ssl.key" }};
+  ssl_session_timeout 30m;
+  ssl_session_cache shared:SSL:20m;
+  ssl_session_tickets off;
+
+  ssl_protocols {{ getenv "BW_SSL_PROTOCOLS" "TLSv1.2" }};
+  ssl_ciphers "{{ getenv "BW_SSL_CIPHERS" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" }}";
+  # Enables server-side protection from BEAST attacks
+  ssl_prefer_server_ciphers on;
+{{ if eq (getenv "BW_ENABLE_SSL_CA") "true" }}
+
+  # OCSP Stapling ---
+  # Fetch OCSP records from URL in ssl_certificate and cache them
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
+  ssl_trusted_certificate /etc/bitwarden/{{ getenv "BW_SSL_CA_CERT" "ca.crt" }};
+  resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
+{{ end }}
+
+  include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+  include /etc/nginx/security-headers.conf;
+{{ if getenv "BW_REAL_IPS" }}
+
+{{ range (getenv "BW_REAL_IPS") }}
+  set_real_ip_from {{ .Key }};
+{{ end }}
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+{{ end }}
+
+  location / {
+    root /app/Web;
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+    include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+    include /etc/nginx/security-headers.conf;
+    add_header Content-Security-Policy "{{ getenv "BW_CSP" "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;" }}";
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location /alive {
+    default_type text/plain;
+    return 200 $date_gmt;
+  }
+
+  location = /app-id.json {
+    root /app/Web;
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+    include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+    include /etc/nginx/security-headers.conf;
+    proxy_hide_header Content-Type;
+    add_header Content-Type $fido_content_type;
+  }
+
+  location /attachments {
+    alias /etc/bitwarden/attachments/;
+  }
+
+  location /api/ {
+    proxy_pass http://localhost:5001/;
+  }
+
+  location /icons/ {
+{{ if eq (getenv "BW_ICONS_PROXY_TO_CLOUD") "true" }}
+    proxy_pass https://icons.bitwarden.net/;
+    proxy_set_header Host icons.bitwarden.net;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_ssl_server_name on;
+{{ else }}
+    proxy_pass http://localhost:5004/;
+{{ end }}
+  }
+
+  location /notifications/ {
+    proxy_pass http://localhost:5006/;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://localhost:5006/hub;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $http_connection;
+  }
+
+  location /events/ {
+    proxy_pass http://localhost:5003/;
+  }
+
+  location /sso {
+    proxy_pass http://localhost:5007;
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+    include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+    include /etc/nginx/security-headers.conf;
+    add_header X-Frame-Options SAMEORIGIN;
+  }
+
+  location /identity {
+    proxy_pass http://localhost:5005;
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+    include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+    include /etc/nginx/security-headers.conf;
+    add_header X-Frame-Options SAMEORIGIN;
+  }
+
+  location /admin {
+    proxy_pass http://localhost:5000;
+{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
+    include /etc/nginx/security-headers-ssl.conf;
+{{ end }}
+    include /etc/nginx/security-headers.conf;
+    add_header X-Frame-Options SAMEORIGIN;
+  }
+
+{{ if eq (getenv "BW_ENABLE_KEY_CONNECTOR") "true" }}
+  location /key-connector/ {
+    proxy_pass {{ getenv "BW_KEY_CONNECTOR_INTERNAL_URL"}}/;
+  }
+{{ end }}
+
+  location /scim/ {
+    proxy_pass http://localhost:5002/;
+  }
+}

docker-unified/confd/nginx-config.toml

@@ -0,0 +1,17 @@
+[template]
+src = "nginx-config.conf.tmpl"
+dest = "/etc/nginx/http.d/bitwarden.conf"
+keys = [
+  "BW_ENABLE_SSL_CA",
+  "BW_SSL_CA_CERT",
+  "BW_CSP",
+  "BW_ENABLE_KEY_CONNECTOR",
+  "BW_KEY_CONNECTOR_INTERNAL_URL",
+  "BW_REAL_IPS",
+  "BW_ENABLE_SSL",
+  "BW_SSL_CERT",
+  "BW_SSL_CIPHERS",
+  "BW_SSL_KEY",
+  "BW_SSL_PROTOCOLS",
+  "BW_ICONS_PROXY_TO_CLOUD"
+]