Vaultwarden in docker and nginx

docker-compose.yml

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    ports:
      - 8080:80
      - 3012:3012
    environment:
      WEBSOCKET_ENABLED: "true"
      ADMIN_TOKEN: "xxxxx"
      SIGNUPS_ALLOWED: "false"
      INVITATIONS_ALLOWED: "false"
      SMTP_HOST: "smtp.gmail.com"
      SMTP_FROM: "[email protected]"
      SMTP_PORT: "587"
      SMTP_SECURITY: "starttls"
      SMTP_USERNAME: "[email protected]"
      SMTP_PASSWORD: "xxxxx"
      DOMAIN: "https://vault.xxxxx.com"
    volumes:
      - ./data:/data

nginx-default.conf

upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8080;
  keepalive 2;
}
upstream vaultwarden-ws {
  zone vaultwarden-ws 64k;
  server 127.0.0.1:3012;
  keepalive 2;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name vault.xxxxx.com;
# You need to change cert files, of course.
    ssl_certificate /etc/letsencrypt/live/vault.xxxxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.xxxxx.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/vault.xxxxx.com/fullchain.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    client_max_body_size 128M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-ws;
    }

    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
      auth_basic "Private";
      auth_basic_user_file /etc/nginx/.htpasswd;
    #
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";
    #
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    #
      proxy_pass http://vaultwarden-default;
    }
}

server {
    if ($host = vault.xxxxx.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name vault.xxxxx.com;
    return 404; # managed by Certbot


}