Confused Reverse proxy and vaultwarden

Good morning Joulinar,

This is the log:

root@DietPi:~# journalctl -u vaultwarden.service
-- Logs begin at Thu 2019-02-14 11:11:58 CET, end at Thu 2021-12-16 11:09:52 CET
. --
Dec 16 11:08:34 DietPi systemd[1]: Started vaultwarden Server (Rust Edition).
Dec 16 11:08:34 DietPi vaultwarden[2527]: /-------------------------------------
Dec 16 11:08:34 DietPi vaultwarden[2527]: |                        Starting Vaul
twarden                        |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |-------------------------------------
Dec 16 11:08:34 DietPi vaultwarden[2527]: | This is an *unofficial* Bitwarden im
plementation, DO NOT use the   |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | official channels to report bugs/fea
tures, regardless of client.   |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | Send usage/configuration questions o
r feature requests to:         |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |   https://vaultwarden.discourse.grou
p/                             |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | Report suspected bugs/issues in the 
software itself at:            |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |
ltwarden/issues/new            |
Dec 16 11:08:34 DietPi vaultwarden[2527]: \-------------------------------------
Dec 16 11:08:34 DietPi vaultwarden[2527]: [INFO] No .env file found.
Dec 16 11:08:35 DietPi vaultwarden[2527]: [2021-12-16 11:08:35.383][start][INFO]
 Rocket has launched from

Today I can acces with https, but it says firefox to make an exception, and it serves the page without httpS.

What I have to do to activate https?

on a default setup, vaultwarden is using self signed certificates. Usually they are not accepted by modern browser or Bitwarden App. But in FireFox it should be possible to accepted the risk and continue with an exception.

To get a correct and valid certificate, you would need to configure vaultwarden and set correct path to your certificate files.


I get it working now, with the proxy option, but as you said, then I don’t have the option of using myddns:port. And if I use that, the no port option the I loose pihole admin… I don’t know if that is a problem, but I would love to have everything without losing almos anything…

I could do that?

What you refer is to use the rocket ssl option as described in vaulwarden github no? They say is a bit inmature…

first you would need to make yourself clear how the final solution should looks like.

Do you like to use a revers proxy and configure all app to use it?
Or you you like to access each app individually, having each app configured by its own to support/provide SSL access?

Once you are clear, you could start working on it.

I think the best option is to use the reverse proxy, but without losing anyother thing like Pihole admin panel.

If I don’t use that option, Is there a way of not using Rocket to have SSL with lets encrypt and no reverse proxy? Like for example HA that uses a port?

Is there a way of not using Rocket to have SSL with lets encrypt and no reverse proxy?

maybe a misunderstanding

ROCKET_PORT and ROCKET_TLS are the parameter used to specify HTTP/S port + SSL certificate used by vaultwarden to enable SSL access. If you have any question for these parameter you might need to reach out to vaultwarden developer to get some deeper explanation.

Got it working Joulinar now…

Thank you so much as always!

maybe you like to share what you have done to get it working. Probably someone else might be interested in it as well :wink:

Of course!

Just open tcp port 8001

and then from config file vaulwarden.env just modify the var:


let’s summarize

  • I install nextcloud and vaultwarden

  • using web server lighttpd

  • I create a domain in duckdns

  • enable DDNS with dietpi-ddns

  • create cert with dietpi-letsencrypt and enable HTTPS

nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

change the following things


nano /etc/lighttpd/conf-available/10-proxy.conf

I put this code on this one, remembering to put the IP of your dietpi

$HTTP["host"] == "" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ("for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ("for" => 1 )

the access will be like this (last slash MUST)

restart and it will be working

With this you will have access to both services anywhere without opening any port on your router


I hope someone can help me. I’ve been scratching my head with this for a couple of days now, in the end the solution I want to achieve is the same one as amibumpin, but despite following the same steps the vaultwarden service will not start when I change the ROCKET_TLS certs path. It just repeatedly spews out 2 errors:
“Logger failed to initialize: attempted to set a logger after the logging system was already initialized”
“[rocket::config::error][ERROR] I/O error while setting tls.certs:”

I’m fairly confident I’ve got things right upto this point, I have valid letsencrypt certs & my nextcloud is working flawlessly both local & from outside the network.

most probably vaultwarden is not able to read certificates due to permission issue. Basically you could copy certs on a place where vaultwarden is able to read them or you are going to allow vaultwarden access to the certs. Or as an alternative you use a revers proxy (the web server hosting NextCloud). This way HTTPS on vaultwarden could be disabled and no additional port would need to be open

Hi Joulinar,

Thanks for the response!

Do you know what the permissions should be? I’ve got the certs in the archive folder as anyone can view, only owner can change, the privkey is only owner can view or change. In the live folder the symlinks are viewable & changeable by anyone. I also tried creating symlinks in the /vaultwarden directory & changing owner of them to vaultwarden & changing the ROCKET_TLS path to use them instead, same issue regardless.

I’ve spent hours trying to set up reverse proxy (using lighttpd) & that is its whole own nightmare which isn’t giving me satisfactory results, I feel like I’m really close with the ROCKET_TLS solution.

Theoretically read permissions are fine. If I’m not mistaken it is the letsencrypt archive folder that has read for root user only. For testing you could change it to read for other users.

That did it, setting the permissions of the archive folder to let anyone view has resulted in the vaultwarden service now starting correctly & working from external :smiley: .

Thanks so much!!

ok good it is working. But this is not the optimal result from security point of view, as now everybody who has access to your OS will be able to read your certificate :wink:

I am trying to configure lighttpd as a reverse proxy as [Joulinar] and [IIMustangII1151] described very clearly but lighttpd doesn’t seem to work.

When i am trying to access I get back a “404 Not Found” page…

The steps I followed:
(On a raspberry pi 4; model b. [DietPi: ARMv8])

  • install vaultwarden, lighttpd
  • install nextcloud
  • I already have a domain in no-ip. My domain is like: subdomain.freedynamicdns. net
  • I have already configured DDNS on my Router, not on my Pi.
  • I created cers with dietpi-letsencrypt. (Force redirect http->https : ON. HSTS: OFF, OCSP: OFF)

I have configured my router to open ports 443, 80 (tcp & udp) and map with Pi’s mac address same ports (443 , 80)


nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

I changed the following things as:



nano /etc/lighttpd/conf-available/10-proxy.conf
$HTTP["host"] == "" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 3012 )))
       proxy.forwarded = ("for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 8001 )))
       proxy.forwarded = ("for" => 1 )

Then I restarted the two services.

When I hit h-t-t-p-s:// I get lighttpd landing page.

Also I can access next cloud at h-t-t-p-s:// without any problem.

I can assume that everything related to lets-encrypt and ddns works fine.

I can access my vaultwarden at raspberry pi’s ip: h-t-t-p-://192.168.pi.ip:8001 so vaultwarden is up and running.

But when I am trying to access h-t-t-p-s:// I get the error page:


(where subdomain is my domain)

I followed these instructions to try fix the error : Fix lighttpd 404 not found error

So I added on /etc/lighttpd/lighttpd.conf :

server.max-fds = 2048

#directory listing
dir-listing.activate = "enable"
dir-listing.hide-dotfiles = "enable"
dir-listing.encoding = "utf-8"

But the result is the same.

I tried to be as specific as I can during the whole configuration.
h-t-t-p-s format is because the forum rules do not permit more than one links.
I am also not sure if I have to rewrite something else. For example if I should replace $HTTP[“host”] with $HTTP[“something-else”]

Can anyone help me or guide me on how to investigate the issue?
Thank you in advance

Ok I figured it out.

My issue was that the proxy configuration was not “enabled”. That means that the 10-proxy.conf file was only at conf-available directory and not at conf-enabled.

To enable 10-proxy configuration you have to run this command:

sudo lighttpd-enable-mod proxy

So @ [IIMustangII1151] could you please add this command at the end of your summary?

Like described on my post above :wink:

1 Like

One note for future readers who uses vaultwarden next to some other services like nextcloud:
You need to add /vault/ to your DOMAIN= in /mnt/dietpi_userdata/vaultwarden/vaultwarden.env, like:


if you also use $HTTP["url"] =~ "^/vault($|/)" { in your lighttpd config.
If you don’t add it in this case you will get a 404 error when you try to reach your vaultwarden instance.


I think this needs to be also set for the notification hub $HTTP["url"] =~ "^/vault/notifications/hub($|/)" {
otherwise the service starts with an error message:

Dez 06 15:20:43 DietPi3B vaultwarden[1047523]:     ###########################################################
Dez 06 15:20:43 DietPi3B vaultwarden[1047523]:     '/notifications/hub' should be proxied to the websocket server or notifications won't work.
Dez 06 15:20:43 DietPi3B vaultwarden[1047523]:     Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.