Confused Reverse proxy and vaultwarden



I decided to purchase a domain name and SSL from name cheap that allows a records to dynamically update.

Sorry I’m fairly new to this, how do I setup dietpi-letsencrypt and vaultwardem with this SSL?

I don’t think it was needed to purchase anything. There are quite some free DDNS provider available.

to use dietpi-letsencrypt, you would need to forward port 80/443 from your router to your DietPi system. Once done run command dietpi-letsencrypt from command line and enter your data to generate your SSL certificate.

Sorry for sounding dumb. I used to work in IT years ago before I got sick and I’ve forgotten all my nix stuff.

I’ve created my own cert but the vaultwarden doesn’t like it. I was following MichaIng reply that said I need to apply for a public one.

How do I use my public SSL on my local system?

I’ve also been trying for a while to get my own certificate to run locally.
unfortunately nothing.
Now it works with nginx proxy manager.
Nginx with docker and forward there via the open port.
But it only works if no other service uses port 80/443
my tip: use an extra raspy for your project.
i installed docker with dietpi and then added the docker images nginx and vaultwarden.
everything in 10 minutes.

Thanks for your reply. I just found this https://www.youtube.com/watch?v=b83S_N1kkJM https://dbtechreviews.com/2020/04/how-to-install-traefik-on-omv-and-docker/

of course you can use docker and container like NginxProxyManager or traefik but it’s working without as well.

I did a test installation on 2 RPi. I used 2 devices just for testing. It’s fine to host web server as well as vaultwarden on a single device.

  1. created a DDNS domain from a free provider
  2. activate regular DDNS update using dietpi-ddns
  3. RPi 1 is hosting web server lighttpd
  4. RPi 2 is hosting vaultwarden
  5. on RPi 2 I was going to disable HTTPS on vaultwarden
nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
  1. disable TLS
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
  1. next to this I enabled websocket notifications
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
  1. save the file and restart the service
systemctl restart vaultwarden.service
  1. vaultwarden is reachable on HTTP now
  2. on RPi 1 I executed dietpi-letsencrypt and was going to install certbot
  3. once done I requested SSL certificate for my DDNS domain and activate redirect HTTP > HTTPS
  4. lighttpd is already reachable on HTTP/HTTPS now
  5. SSL certificate will be automatically renewed if required by certbot
  6. add proxy code to lighttpd
nano /etc/lighttpd/conf-available/10-proxy.conf
  1. add following
$HTTP["host"] == "your.ddns.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
    }
}
  1. add correct DDNS host and IP address
  2. save file, activate setting and restart service
lighty-enable-mod proxy
service lighttpd force-reload
systemctl restart lighttpd.service
  1. now, vaultwarden should be reachable via your.ddns.com
  2. testing with web browser and app was working fine,
1 Like

Hi to all, sorry to reup the topic.

I followed the instructions from Joulinar and obtained a working Vaultwarden server accessible from my DDNS “site”. The problem starts when i want to access other webapps on the server (in my case nextcloud), it seems that the above configuration redirects °all° the traffic to vaultwarden server. For example if I point the browser to “my.site/nextcloud” I receive a response from the vaultwarden ROCKET webserver. I read than the documentation in the vaultwarden github and found:
"To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:

Route the /notifications/hub endpoint to the WebSocket server, by default at port 3012, making sure to pass the Connection and Upgrade headers. (Note the port can be changed with WEBSOCKET_PORT variable)
Route everything else, including /notifications/hub/negotiate, to the standard Rocket server, by default at port 80."
So, it seems to me that the 10-proxy configurations file is redirecting all the traffic to vaultwarden web server, my question is: is there a possible workaround to this using lighttpd? I tried to understand what the script really does but I’m confused about the
$HTTP[“url”] == “/notifications/hub” {
string. Sorry for my enlish and thanks in advance!
Marco

basically the config above is doing 3 thinks.

  1. it is reacting on a specific domain “your.ddns.com
  2. request for sub folder “/notifications/hub” will be redirected to vaultwarden websocket notifications server on port 3012.
  3. all other request will be redirected to vaultwarden web server on port 8001

specifying nextcloud as sub folder will not have any effect as it will be covered by point 3 and forward the request to vaultwarden web server if using the specific domain “your.ddns.com”. At least this is what I’m guessing as I’m not a revers proxy specialist.

Best would be if you reconfigure vaultwarden to work on a sub path. https://github.com/dani-garcia/vaultwarden/wiki/Using-an-alternate-base-dir

This way it’s possible to differentiate between nextcloud and vaultwarden. Proxy configuration would need to be adjusted as well to redirect according the sub path

$HTTP["host"] == "dietpi.example.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] == "/vault" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       }
    }
}

First of all, thanks for the reply.

Finally I tried putting vaultwarden in a sub folder (/vw). I altered the proxy configuration following your tips too. Now I’m able to reach /nextcloud and /vw correctly but I’m facing one last problem: vaultwarden does not work.

The WIKI https://github.com/dani-garcia/vaultwarden/wiki/Using-an-alternate-base-dir says:

You should now be able to access the web vault at > https://bitwarden.example.com/base-dir/ > (note the trailing slash). For reasons not entirely clear, you’ll probably run into issues if you use > https://bitwarden.example.com/base-dir > (without the trailing slash).

while I’m currently being redirected to 192.168.0.x:8081/vw (without the trailing slash).

If I try to access vaultwarden from inside my lan with the trailiing slash I’m able to view the login page (from bitwarden app for android too), but nothing works because of the lack of https.

I tried putting $HTTP[“url”] == “/vw/” (with the trailing slash) but I’m always redirected inside my lan without the slash.

Thanks and sorry for my english!

Marco

ok I was playing with it an this one was working for me

$HTTP["host"] == "demo.com" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       }
    }
}

Now I’m able to access vaultwarden using http://demo.com/vault/

The trailing slash still something to be added within the URL

1 Like

Thanks, it works! Now I’m able to login to vaultwarden and nextcloud simultaneously :smiley: :smiley: :smiley: !

Now I’m curious to know where did you find the syntax of lighttpd reverse proxy, I tried to find something but without success!

Anyway, thanks!

Marco.

good question :stuck_out_tongue:

  1. Basically I started using the Lighttpd template available on vaultwarden GitHub Wiki https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
  2. did some try and error to adjust on our need to get NextCloud available
  3. and finally reused some parts from NextCloud Web Server configuration files to optimize proxy configuration

TL,TR: playing with it until it was working :smiley:

1 Like

Hi, Joulinar would you help me getting vaulwarden work to?

I’ve done every of your steps on the above posts, and when accessing to myddns:8001 I get a time out after a while.

The difference with your setup is that I have letsencrypt and vaulwarden in the same Odroid.

I have open also the port 8001…

I made the changes on lighttpd, also with the ones in the proxy examples on github.

The logs I get:

Dec 15 10:43:45 DietPi systemd[1]: Started vaultwarden Server (Rust Edition).
Dec 15 10:43:45 DietPi vaultwarden[14083]: /--------------------------------------------------------------------\
Dec 15 10:43:45 DietPi vaultwarden[14083]: |                        Starting Vaultwarden                        |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |--------------------------------------------------------------------|
Dec 15 10:43:45 DietPi vaultwarden[14083]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | official channels to report bugs/features, regardless of client.   |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | Send usage/configuration questions or feature requests to:         |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |   https://vaultwarden.discourse.group/                             |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | Report suspected bugs/issues in the software itself at:            |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |   https://github.com/dani-garcia/vaultwarden/issues/new            |
Dec 15 10:43:45 DietPi vaultwarden[14083]: \--------------------------------------------------------------------/
Dec 15 10:43:45 DietPi vaultwarden[14083]: [INFO] No .env file found.
Dec 15 10:43:45 DietPi vaultwarden[14083]: [2021-12-15 10:43:45.235][parity_ws][INFO] Listening for new connections
 on 0.0.0.0:3012.
Dec 15 10:43:45 DietPi vaultwarden[14083]: [2021-12-15 10:43:45.243][start][INFO] Rocket has launched from http://0
.0.0.0:8001
Dec 15 10:44:45 DietPi vaultwarden[14083]: [2021-12-15 10:44:45.229][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:45:45 DietPi vaultwarden[14083]: [2021-12-15 10:45:45.230][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:46:45 DietPi vaultwarden[14083]: [2021-12-15 10:46:45.230][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:47:45 DietPi vaultwarden[14083]: [2021-12-15 10:47:45.232][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins

What is it strange is that lines about listening new connections from http://0.0.0.0:8001 and the rocket has launched from. I thought Rocket didn’t have to start if I using the letsencrypt ssl mode.

The ssl is working fine because on other port where I have installed Home Assistant is working…

I run out of ideas…

maybe there is a misunderstanding. The above steps are used to setup a revers proxy on a web server to be able to connect to vaultwarden without any specific port needed. Means you could access vaultwarden like http://demo.com/vault/

Question is now what you exactly like to do?
How do you like to access vaultwarden?
What configuration you changed already?
Did you setup a revers proxy?

I have answered on your quote sorry

if you setup a revers proxy, why are you trying to access it via port number? myddns:8001 ?? How did you setup the revers proxy?

Because I don’t know what I am doing… :cry:

This is my config:

$HTTP["host"] == "my.ddns.net" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.1.3", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "https-remap" => "enable",
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.1.3", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = ( "https-remap" => "enable" )
    }
}

I had to say that I have in my router redirected port 443-> to another port where it is home assistant, I say it if it matters…
So if I go to my.ddns.net it went to home assistant login page, now it doesn’t I imagine because of the reverse proxy rule.

usually the idea of a revers proxy is to use this as gateway and to pass all https/http traffic via the proxy (including HomeAssistant).

It will looks like this graphic https://synaptica.info/wp-content/uploads/2021/04/reverse-proxy.png

Mens port 80/443 is forwarded to your proxy and not to an application directly. AS well the proxy is doing the SSL certificate handling, instead of managing certificates on each app.

But in your case, let’s keep it simple as is and have port 443 forwarded to HA.

To get vaultwarden accessible from outside world, just revert all changed you did. Activate https again and remove the proxy configuration.

I understand the proxy part now…

I revert it back the vaulwarden conf file, that I have backed up, and disable proxy mode, but still timed out

I reboot, and I can get in but without httpS

could you reboot your system and share following afterwards

journalctl -u vaultwarden.service