Hello Friends,

I have a small ubuntu Server and I finally also want to transfer my Vaultwarden Instance to it. On this Server I have several services running (homeassistant, …) and Certbot via Dehydrated (right now I get a certificate for my duckdns address). In some directory I have the privkey and fullchain files.

Now my Problem is that when I start vaultwarden it wont load as https.

I believe, my Problem is telling Vaultwarden, where my certificate files are located so it can use them accordingly.

This is my Compose File right now:

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /home/vaultwarden:/data/
      - /home/(directory to my certificates):/usr/share/ca-certificates/
    ports:
      - 8129:80
    environment:
      - DOMAIN=https://hurrdurr.duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN=token
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

The Volume Mapping to the certificates was just me trying it out so maybe its working if I map it like that.

If I open the 8129 in my Browser it will just time out. I also managed it to start but it wouldnt let me register as theres not https certificate.

  • Kangie@lemmy.srcfiles.zip
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    Here’s the secret to stuff like this:

    Run a single reverse proxy / edge router for all of your containerised services.

    I recommend Traefik - https://gitlab.com/Matt.Jolly/traefik-grafana-prometheus-docker

    You can configure services with labels attached to the container and (almost) never expose ports directly. It also lets you host an arbitrary number of services listening on 80/443.

    An example config might look like this:

    # docker-compose.yml
    version: '3.9'
    
    services:
      bitwarden:
        image: vaultwarden/server:latest
        restart: always
        volumes:
          - /data/vaultwarden/:/data
        environment:
    #      - ADMIN_TOKEN=
          - WEBSOCKET_ENABLED=true
        networks:
          - proxy
        labels:
          - traefik.enable=true
          - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencrypt
          - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
          - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
          - traefik.http.routers.bitwarden-ui-https.rule=Host(`my.domain.com`)
          - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
          - traefik.http.routers.bitwarden-ui-https.tls=true
          - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
          - traefik.http.routers.bitwarden-ui-http.rule=Host(`my.domain.com`)
          - traefik.http.routers.bitwarden-ui-http.entrypoints=web
          - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
          - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
          - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
          - traefik.http.routers.bitwarden-websocket-https.rule=Host(`my.domain.com) && Path(`/notifications/hub`)
          - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
          - traefik.http.routers.bitwarden-websocket-https.tls=true
          - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
          - traefik.http.routers.bitwarden-websocket-http.rule=Host(`my.domain.com`) && Path(`/notifications/hub`)
          - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
          - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
          - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
          - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
    
    • emhl@feddit.de
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      Using traefik as your first reverse proxy might be a bit daunting. Caddy or “nginx reverse proxy” are much easier to configure.

      • 7Sea_Sailor@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        If you want it beginner friendly, I can recommend nginx proxy Manager, which is basically a web ui frontend for nginx. This has its own drawbacks, but makes setup very uncomplicated.

        • 子犬です@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I agree, very beginner friendly. But also, it’s what most people are gonna need.

          I actually started with Traefik because I didn’t know any better, and I kinda wanna go back to be honest because with Traefik I was able to configure a Minecraft server, without having to expose the port. But not with NGINX Proxy Manager.l, since it only does http and shit. But I REALLY like being able to do everything via a webUI since I only have a phone to manage my server .

          So, I find myself stuck between functionality and ease of use. :(

          • 7Sea_Sailor@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            You should look into NPM Streams, they’re built exactly for this purpose. It’s included by default, just another type of host.

            • 子犬です@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I’ve tried, but I wasn’t able to get it working. I’ll look into it again though, cuz I’d love to do it all through NPM.

          • Kangie@lemmy.srcfiles.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            At the end of the day Traefik isn’t that hard, especially if you know the core concepts; if you know both and have a need for Traefik I’d just use that everywhere.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Nginx Proxy Manager can do stream hosts, which are encrypted tunnels where you can put any kind of traffic not just HTTP.

            • 子犬です@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I’ve tried, but I wasn’t able to get it working. I’ll look into it again though, cuz I’d love to do it all through NPM.

  • Dandroid@dandroid.app
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Seconding a reverse proxy. Once you have it set up, it’s trivial to add a subdomain, forward it to your internal port that your container is exposing, then use certbot or whatever to get a new certificate for that subdomain.

    I just use apache because I heavily use it for work, so I already know it well. But lots of people swear by nginx as well. There are lots of other options as well.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      No need to get a certificate for ever subdomain, you can get a wildcard cert for *.your. domain.

      • Dandroid@dandroid.app
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        True. I did that for one of my domains, but it was really quite annoying to do with certbot, as you needed some sort of plugin.

        • Kangie@lemmy.srcfiles.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It’s fine with Let’sEncrypt via the DNS01 challenge; my lab typically only uses one wildcard certificate for all the services there unless I have a specific need to generate an indovidual cert for a service.

    • klangcola@reddthat.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thirding a reverse proxy. Probably Nginx Proxy Manager (NPM) is the easiest reverse proxy to get started with, if you don’t want to deal with plain nginx config files

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    nginx Popular HTTP server

    5 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

    [Thread #129 for this sub, first seen 11th Sep 2023, 03:25] [FAQ] [Full list] [Contact] [Source code]

  • Giddy@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I use Nginx Proxy Manager to reverse proxy all my services including Vaultwarden -

    Setup in NPM -

    Open Nginx Proxy Manager Admin Portal
    Click Proxy Hosts
    Click Add Proxy Host
    Fill in the details
        Details tab
            Domain Names - vault.your.domain
            Scheme - http
            Forward Hostname/IP - vaultwarden (this should be the name of your vw container)
            Forward Port - 80
            Tick Block Common Exploits
            Tick Websockets Support
            Access List - Publicly Accessible
        Custom locations tab
            Add the following locations
                location 1
                    location - /notifications/hub
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 3012
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header X-Real-IP $remote_addr;
                location 2
                    location - /notifications/hub/negotiate
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 80
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
                location 3
                    location - /
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 80
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
        SSL tab
            SSL Certificate - Request a new SSL Certificate
            tick Use a DNS Challenge (or just expose port 80 if you accept the risk)
            DNS Provider - Dynu (this is my dyndns provider)
            Credentials File Content - replace YOUR_DYNU_AUTH_TOKEN with the API key from https://www.dynu.com/en-US/ControlPanel/APICredentials
            Email Address for Let's Encrypt - your email
            Tick I Agree to the Let's Encrypt Terms of Service
    Click Save
    Vaultwarden should now be accessible via https://vault.your.domain
    
    • Lobotomie@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Can I send you a pm regarding my progress so far? I’m kind off stuck at configuring everything:/