I didnt touch anything, if anything changed it had to be technium pushing a update thats not in the changelog, or that one of the few dependencies broke something.
They both do the work, and cater to different scenarios. My reasoning for my suggestion is that I dont want to be able to reach /admin at all with my reverse proxy. Another thing to think about is the resulting error code, where my suggestion gives a 404, while the deny gives a 403. A 403 might say to a potential attacker that there is something there (you could have it respond with a 404 instead)
I did consider that way when I did my post, and my conclusion is still that it should not be able be reached outside of the lan. I have the port mapped, so I can reach it outside of the reverse proxy, if that's not the case for you, doing a allow/deny is the next best option, outside of just disabling the admin panel in the container.
Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?
There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect.
Im not sure how advanced that feature is, like if it follows the html tag for favicon, or just assumes it lives on /favicon.ico, i have those errors too sometimes, and i havent seen anything bad from it.