From 9e4091a764e7e34434f7e20f6b4535195fa0d117 Mon Sep 17 00:00:00 2001
From: jlssmt <jls.smt@gmail.com>
Date: Sun, 18 Aug 2024 19:46:23 +0200
Subject: [PATCH] restrict vaultwarden admin page to LAN

---
 vaultwarden.subdomain.conf.sample | 7 +++++++
 vaultwarden.subfolder.conf.sample | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/vaultwarden.subdomain.conf.sample b/vaultwarden.subdomain.conf.sample
index c92af40ad..5630392d9 100644
--- a/vaultwarden.subdomain.conf.sample
+++ b/vaultwarden.subdomain.conf.sample
@@ -62,6 +62,13 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
+        # if you enable admin page via ADMIN_TOKEN env variable
+        # consider restricting access to LAN only via uncommenting the following lines
+        #allow 10.0.0.0/8;
+        #allow 172.16.0.0/12;
+        #allow 192.168.0.0/16;
+        #deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app vaultwarden;
diff --git a/vaultwarden.subfolder.conf.sample b/vaultwarden.subfolder.conf.sample
index 2bba167be..f97dc8936 100644
--- a/vaultwarden.subfolder.conf.sample
+++ b/vaultwarden.subfolder.conf.sample
@@ -49,6 +49,13 @@ location ~  ^(/vaultwarden)?/admin {
     # enable for Authentik (requires authentik-server.conf in the server block)
     #include /config/nginx/authentik-location.conf;
 
+    # if you enable admin page via ADMIN_TOKEN env variable
+    # consider restricting access to LAN only via uncommenting the following lines
+    #allow 10.0.0.0/8;
+    #allow 172.16.0.0/12;
+    #allow 192.168.0.0/16;
+    #deny all;
+
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_app vaultwarden;