Confused Reverse proxy and vaultwarden


I’m really confused on how to setup a reverse proxy using lighttpd for vaultwarden. I’ve tried this config but lighttpd refuse to restart and I’m totally lost.

I understand there’s security risks but I need a password manager that syncs with my phone and PC.

Does any one had a guide for a noob like me to set this up?

Please move this in the wrong section

Thanks for any help

into which file you have added the configuration?

Could you share following pls

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf

There’s no output. I deleted the entries that I copied from the site I mentioned when lighttpd couldn’t restart

ok and where did you added the config to before you removed it again?

Thanks for your replies.

I added it to /etc/lighttpd/conf-available/10-proxy.conf

usually that would be the correct place but you would need to take care not to simple copy the code section as it contains server.modules += ( “mod_proxy” ) which is already present in 10-proxy.conf :slight_smile:

Nope it didn’t working. I’ll try it again and see what the output is to the command you asked me to run previously

maybe you can share 10-proxy.conf

Btw: port for vaultwarden is 8001 and not 4567 as in the example.

This is the output

2021-09-24 23:29:34: sock_addr.c.435) getaddrinfo failed: Name or service not known ‘’
2021-09-24 23:29:34: server.c.1517) Configuration of plugins failed. Going down.

pls share your config file

BTW: Is there a strong need to lighttpd? It’s not the best choice for a revers proxy

I fixed the server by replacing with my local IP address but the app on my phone still gives me

"Exception message: Hostname (removed my url) not verified: certificate DN: CN DietPi Vaultwarden subjectAltNames [, and my Server name].

I’m newish to linux and lighttpd was just installed automatically with the apps. Would I have to do heaps of config to use Apache instead?

Here is my config file:

# /usr/share/doc/lighttpd/proxy.txt

server.modules   += ( "mod_proxy" )

## Balance algorithm, possible values are: "hash", "round-robin" or "fair" (default)
# proxy.balance     = "hash"

## Redirect all queries to files ending with ".php" to
#proxy.server     = ( ".php" =>
#                     (
#                       ( "host" => "",
#                         "port" => 80
#                       )
#                     )
#                    )

## Redirect all connections on to{0,1,2,3}
#$HTTP["host"] == "" {
#  proxy.balance = "hash"
#  proxy.server  = ( "" => ( ( "host" => "" ),
#                            ( "host" => "" ),
#                            ( "host" => "" ),
#                            ( "host" => "" ) ) )

$HTTP["host"] == "" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "https-remap" => "enable",
           "upgrade" => "enable",
           "connect" => "enable"
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = ( "https-remap" => "enable" )

looks like your app did not accept the SSL certificate which is logic as the certificate is a self signed one.

Question: do you plan to access vaultwarden from internet or from local only.

I would like to access my passwords etc when not at home.

Then I suggest to apply a public TLS certificate, e.g. via dietpi-letsencrypt and apply this to vaultwarden as well. This way you also avoid the process of importing the certificate into the client’s OS CA store.

Or to have the certificate on lighttpd only and switch vaultwarden to HTTP ?

Something I would need to test if it is working this way.

I decided to purchase a domain name and SSL from name cheap that allows a records to dynamically update.

Sorry I’m fairly new to this, how do I setup dietpi-letsencrypt and vaultwardem with this SSL?

I don’t think it was needed to purchase anything. There are quite some free DDNS provider available.

to use dietpi-letsencrypt, you would need to forward port 80/443 from your router to your DietPi system. Once done run command dietpi-letsencrypt from command line and enter your data to generate your SSL certificate.

Sorry for sounding dumb. I used to work in IT years ago before I got sick and I’ve forgotten all my nix stuff.

I’ve created my own cert but the vaultwarden doesn’t like it. I was following MichaIng reply that said I need to apply for a public one.

How do I use my public SSL on my local system?

I’ve also been trying for a while to get my own certificate to run locally.
unfortunately nothing.
Now it works with nginx proxy manager.
Nginx with docker and forward there via the open port.
But it only works if no other service uses port 80/443
my tip: use an extra raspy for your project.
i installed docker with dietpi and then added the docker images nginx and vaultwarden.
everything in 10 minutes.

Thanks for your reply. I just found this