Customizing the NGINX proxy configuration

Can I somehow configure NGINX proxy so that the changes are still preserved during an update? The bwdata/nginx/default.conf file is overwritten during updates and with the file bwdata/config.yml I cannot make the desired adjustments.

I have copied the default.conf file and want to restrict access to Bitwarden to some IP addresses. Therefore I created deny- and allow-Rules in the location “/”. IPv4 works fine - IPv6 doesn’t work with it.

location / {
proxy_pass http://web:5000/;
include /etc/nginx/security-headers-ssl.conf;
include /etc/nginx/security-headers.conf;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; child-src 'self' https://*; frame-src 'self' https://*; connect-src 'self' wss://*.net; object-src 'self' blob:;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Robots-Tag "noindex, nofollow";

# ip
allow;            # IPv4
allow;         # IPv4-Range
allow       2001:1:2:3::/64;    # IPv6-Range
allow       2001:1:2:4:5:6:7:8/128; #single IPv6
deny all;

The configuration is similar to what I have used in other projects and according to Nginx specifications. Currently I suspect a special behavior of Docker/Bitwarden.

Does anyone see where the problem is or can they point me in the right direction?

This may help someone who is looking for a solution.

IPv6 does not work with Docker by default and in this setup. The nginx container only sees the local IPv4 addresses ( So an allow-rule must be created for this - then IPv6 will work.


Makes sense, doesn’t it? :man_facepalming:

This can also be seen from such (senseless) messages: