Customizing the NGINX proxy configuration

Can I somehow configure NGINX proxy so that the changes are still preserved during an update? The bwdata/nginx/default.conf file is overwritten during updates and with the file bwdata/config.yml I cannot make the desired adjustments.

I have copied the default.conf file and want to restrict access to Bitwarden to some IP addresses. Therefore I created deny- and allow-Rules in the location “/”. IPv4 works fine - IPv6 doesn’t work with it.

location / {
proxy_pass http://web:5000/;
include /etc/nginx/security-headers-ssl.conf;
include /etc/nginx/security-headers.conf;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; connect-src 'self' wss://*.net https://api.pwnedpasswords.com https://twofactorauth.org; object-src 'self' blob:;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Robots-Tag "noindex, nofollow";

# ip
allow       1.2.3.4;            # IPv4
allow       2.3.4.0/24;         # IPv4-Range
allow       2001:1:2:3::/64;    # IPv6-Range
allow       2001:1:2:4:5:6:7:8/128; #single IPv6
deny all;
}

The configuration is similar to what I have used in other projects and according to Nginx specifications. Currently I suspect a special behavior of Docker/Bitwarden.

Does anyone see where the problem is or can they point me in the right direction?

This may help someone who is looking for a solution.

IPv6 does not work with Docker by default and in this setup. The nginx container only sees the local IPv4 addresses (172.19.0.0/16). So an allow-rule must be created for this - then IPv6 will work.

allow       172.19.0.0/16;

Makes sense, doesn’t it? :man_facepalming:

This can also be seen from such (senseless) messages:

image