Hi,
so basically i want to reduce opening random port by creating some reverse proxy
https://DietPi:5252 to https://dietpi-dashboard.[domain].[com]
https://DietPi:8001 to https://dietpi-dashboard.[domain].[com]
can someone provide example of apache2 sites-available conf for this 2 (dietpi-dashboard and vaultwarden) ?
hi @Joulinar
yes i’ve read that and tried to use the setup, but this is the best i get
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@gitzjoey.online
ServerName vault.gitzjoey.online
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /notifications/hub(.*) ws://DietPi:3012/$1 [P,L]
ProxyPass / https://DietPi:8001/
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/gitzjoey.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gitzjoey.online/privkey.pem
</VirtualHost>
</IfModule>
but i get this error in journalctl
Dec 07 19:35:14 DietPi apache2[12648]: [ssl:warn] [pid 12648:tid 281473458769952] AH01909: vault.gitzjoey.online:443:0 server certificate does NOT include an ID which matches the server name
Dec 07 19:35:36 DietPi apache2[18924]: [core:error] [pid 18924:tid 281472906367264] [remote 127.0.1.1:8001] AH01961: failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
Dec 07 19:35:36 DietPi apache2[18924]: [proxy:error] [pid 18924:tid 281472906367264] AH00961: https: failed to enable ssl support for 127.0.1.1:8001 (dietpi)
Dec 07 19:35:36 DietPi vaultwarden[4063]: [2023-12-07 19:35:36.503][rocket_http::tls::listener][WARN] tls handshake with 127.0.0.1:51250 failed: tls handshake eof
Dec 07 19:35:36 DietPi apache2[18924]: [core:error] [pid 18924:tid 281473438978336] [remote 127.0.1.1:8001] AH01961: failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
Dec 07 19:35:36 DietPi apache2[18924]: [proxy:error] [pid 18924:tid 281473438978336] AH00961: https: failed to enable ssl support for 127.0.1.1:8001 (dietpi)
Dec 07 19:35:36 DietPi vaultwarden[4063]: [2023-12-07 19:35:36.624][rocket_http::tls::listener][WARN] tls handshake with 127.0.0.1:51264 failed: tls handshake eof
I’ve change the config into
<VirtualHost *:443>
SSLEngine on
ServerName vault.gitzjoey.online
SSLCertificateFile /etc/letsencrypt/live/gitzjoey.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gitzjoey.online/privkey.pem
ErrorLog /var/log/apache2/vaultwarden-error.log
CustomLog /var/log/apache2/vaultwarden-access.log combined
ProxyPass / https://DietPi:8001/ upgrade=websocket
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
# Add this line if your url attributes are reported back as http://... :
RequestHeader add X-Forwarded-Proto https
</VirtualHost>
but having issue with Rocket webservice
in journalctl
[2023-12-09 13:24:24.718][rocket_http::tls::listener][WARN] tls handshake with 127.0.0.1:56740 failed: tls handshake eof
Better to disable SSL within vaultwarden, as HTTPS is done by the reverse proxy now. There are a couple of descriptions within the forum how to do it.
<VirtualHost *:443>
SSLEngine on
ServerName vault.gitzjoey.online
SSLCertificateFile /etc/letsencrypt/live/gitzjoey.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gitzjoey.online/privkey.pem
ErrorLog /var/log/apache2/vaultwarden-error.log
CustomLog /var/log/apache2/vaultwarden-access.log combined
ProxyPass / http://DietPi:8001/ upgrade=websocket
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
# Add this line if your url attributes are reported back as http://... :
RequestHeader add X-Forwarded-Proto https
</VirtualHost>
replacing the https://DietPi into http://DietPi
but the rocket error keep coming, honestly not really understand about websocket in vaultwarden
vaultwarden[72386]: [2023-12-09 20:01:47.386][rocket_http::tls::listener][WARN] tls handshake with 127.0.0.1:44546 failed: received corrupt message of type InvalidContentType
BTW, I just crawling into DietPi-Dashboard github issues, also find some threads from @MichaIng about adding reverse-proxy ability into it
**update
just realize its stated in docs, that i need to disable rocket websocket when using reverse proxy
he examples below assume you are running in this configuration, in which case you should not enable the HTTPS functionality built into Vaultwarden (i.e., you should not set the ROCKET_TLS environment variable). If you do, connections will fail since the reverse proxy is using HTTP to connect to Vaultwarden, but you're configuring Vaultwarden to expect HTTPS.
As stated above already, you need to disable SSL within vaultwaden configuration. We have a couple of examples for different web server in our forum. Including a step by step guide.
appreciate if you can share some url/link about the step by step guide (specially for apache2)
anyway i’ve succeed
sharing the config, for others if interested
<VirtualHost *:443>
SSLEngine on
ServerName vault.gitzjoey.online
SSLCertificateFile /etc/letsencrypt/live/gitzjoey.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gitzjoey.online/privkey.pem
ErrorLog /var/log/apache2/vaultwarden-error.log
CustomLog /var/log/apache2/vaultwarden-access.log combined
ProxyPass / http://localhost:8000/ upgrade=websocket
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
# Add this line if your url attributes are reported back as http://... :
#RequestHeader add X-Forwarded-Proto https
</VirtualHost>
the important thing is to remarks all ROCKET websockets in vaultwarden.conf
Not for Apache but should be similar.