of course you can use docker and container like NginxProxyManager or traefik but it’s working without as well.
I did a test installation on 2 RPi. I used 2 devices just for testing. It’s fine to host web server as well as vaultwarden on a single device.
- created a DDNS domain from a free provider
- activate regular DDNS update using dietpi-ddns
- RPi 1 is hosting web server lighttpd
- RPi 2 is hosting vaultwarden
- on RPi 2 I was going to disable HTTPS on vaultwarden
nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
- disable TLS
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
- next to this I enabled websocket notifications
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
- save the file and restart the service
systemctl restart vaultwarden.service
- vaultwarden is reachable on HTTP now
- on RPi 1 I executed dietpi-letsencrypt and was going to install certbot
- once done I requested SSL certificate for my DDNS domain and activate redirect HTTP > HTTPS
- lighttpd is already reachable on HTTP/HTTPS now
- SSL certificate will be automatically renewed if required by certbot
- add proxy code to lighttpd
nano /etc/lighttpd/conf-available/10-proxy.conf
- add following
$HTTP["host"] == "your.ddns.com" {
$HTTP["url"] == "/notifications/hub" {
# WebSocket proxy
proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
proxy.forwarded = ( "for" => 1 )
proxy.header = (
"upgrade" => "enable",
"connect" => "enable"
)
} else {
proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
proxy.forwarded = ( "for" => 1 )
}
}
- add correct DDNS host and IP address
- save file, activate setting and restart service
lighty-enable-mod proxy
service lighttpd force-reload
systemctl restart lighttpd.service
- now, vaultwarden should be reachable via your.ddns.com
- testing with web browser and app was working fine,