Confused Reverse proxy and vaultwarden

of course you can use docker and container like NginxProxyManager or traefik but it’s working without as well.

I did a test installation on 2 RPi. I used 2 devices just for testing. It’s fine to host web server as well as vaultwarden on a single device.

1. created a DDNS domain from a free provider
2. activate regular DDNS update using dietpi-ddns
3. RPi 1 is hosting web server lighttpd
4. RPi 2 is hosting vaultwarden
5. on RPi 2 I was going to disable HTTPS on vaultwarden

nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

6. disable TLS

#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}

7. next to this I enabled websocket notifications

WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012

8. save the file and restart the service

systemctl restart vaultwarden.service

9. vaultwarden is reachable on HTTP now
10. on RPi 1 I executed dietpi-letsencrypt and was going to install certbot
11. once done I requested SSL certificate for my DDNS domain and activate redirect HTTP > HTTPS
12. lighttpd is already reachable on HTTP/HTTPS now
13. SSL certificate will be automatically renewed if required by certbot
14. add proxy code to lighttpd

nano /etc/lighttpd/conf-available/10-proxy.conf

15. add following

$HTTP["host"] == "your.ddns.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
    }
}

16. add correct DDNS host and IP address
17. save file, activate setting and restart service

lighty-enable-mod proxy
service lighttpd force-reload
systemctl restart lighttpd.service

18. now, vaultwarden should be reachable via your.ddns.com
19. testing with web browser and app was working fine,

Hi to all, sorry to reup the topic.

I followed the instructions from Joulinar and obtained a working Vaultwarden server accessible from my DDNS “site”. The problem starts when i want to access other webapps on the server (in my case nextcloud), it seems that the above configuration redirects °all° the traffic to vaultwarden server. For example if I point the browser to “my.site/nextcloud” I receive a response from the vaultwarden ROCKET webserver. I read than the documentation in the vaultwarden github and found:
"To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:

Route the /notifications/hub endpoint to the WebSocket server, by default at port 3012, making sure to pass the Connection and Upgrade headers. (Note the port can be changed with WEBSOCKET_PORT variable)
Route everything else, including /notifications/hub/negotiate, to the standard Rocket server, by default at port 80."
So, it seems to me that the 10-proxy configurations file is redirecting all the traffic to vaultwarden web server, my question is: is there a possible workaround to this using lighttpd? I tried to understand what the script really does but I’m confused about the
$HTTP[“url”] == “/notifications/hub” {
string. Sorry for my enlish and thanks in advance!
Marco

basically the config above is doing 3 thinks.

1. it is reacting on a specific domain “your.ddns.com”
2. request for sub folder “/notifications/hub” will be redirected to vaultwarden websocket notifications server on port 3012.
3. all other request will be redirected to vaultwarden web server on port 8001

specifying nextcloud as sub folder will not have any effect as it will be covered by point 3 and forward the request to vaultwarden web server if using the specific domain “your.ddns.com”. At least this is what I’m guessing as I’m not a revers proxy specialist.

Best would be if you reconfigure vaultwarden to work on a sub path. https://github.com/dani-garcia/vaultwarden/wiki/Using-an-alternate-base-dir

This way it’s possible to differentiate between nextcloud and vaultwarden. Proxy configuration would need to be adjusted as well to redirect according the sub path

$HTTP["host"] == "dietpi.example.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] == "/vault" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       }
    }
}

First of all, thanks for the reply.

Finally I tried putting vaultwarden in a sub folder (/vw). I altered the proxy configuration following your tips too. Now I’m able to reach /nextcloud and /vw correctly but I’m facing one last problem: vaultwarden does not work.

The WIKI Using an alternate base dir · dani-garcia/vaultwarden Wiki · GitHub says:

You should now be able to access the web vault at > https://bitwarden.example.com/base-dir/ > (note the trailing slash). For reasons not entirely clear, you’ll probably run into issues if you use > https://bitwarden.example.com/base-dir > (without the trailing slash).

while I’m currently being redirected to 192.168.0.x:8081/vw (without the trailing slash).

If I try to access vaultwarden from inside my lan with the trailiing slash I’m able to view the login page (from bitwarden app for android too), but nothing works because of the lack of https.

I tried putting $HTTP[“url”] == “/vw/” (with the trailing slash) but I’m always redirected inside my lan without the slash.

Thanks and sorry for my english!

Marco

ok I was playing with it an this one was working for me

$HTTP["host"] == "demo.com" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       }
    }
}

Now I’m able to access vaultwarden using http://demo.com/vault/

The trailing slash still something to be added within the URL

Thanks, it works! Now I’m able to login to vaultwarden and nextcloud simultaneously !

Now I’m curious to know where did you find the syntax of lighttpd reverse proxy, I tried to find something but without success!

Anyway, thanks!

Marco.

good question

1. Basically I started using the Lighttpd template available on vaultwarden GitHub Wiki https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
2. did some try and error to adjust on our need to get NextCloud available
3. and finally reused some parts from NextCloud Web Server configuration files to optimize proxy configuration

TL,TR: playing with it until it was working

Hi, Joulinar would you help me getting vaulwarden work to?

I’ve done every of your steps on the above posts, and when accessing to myddns:8001 I get a time out after a while.

The difference with your setup is that I have letsencrypt and vaulwarden in the same Odroid.

I have open also the port 8001…

I made the changes on lighttpd, also with the ones in the proxy examples on github.

The logs I get:

Dec 15 10:43:45 DietPi systemd[1]: Started vaultwarden Server (Rust Edition).
Dec 15 10:43:45 DietPi vaultwarden[14083]: /--------------------------------------------------------------------\
Dec 15 10:43:45 DietPi vaultwarden[14083]: |                        Starting Vaultwarden                        |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |--------------------------------------------------------------------|
Dec 15 10:43:45 DietPi vaultwarden[14083]: | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | official channels to report bugs/features, regardless of client.   |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | Send usage/configuration questions or feature requests to:         |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |   https://vaultwarden.discourse.group/                             |
Dec 15 10:43:45 DietPi vaultwarden[14083]: | Report suspected bugs/issues in the software itself at:            |
Dec 15 10:43:45 DietPi vaultwarden[14083]: |   https://github.com/dani-garcia/vaultwarden/issues/new            |
Dec 15 10:43:45 DietPi vaultwarden[14083]: \--------------------------------------------------------------------/
Dec 15 10:43:45 DietPi vaultwarden[14083]: [INFO] No .env file found.
Dec 15 10:43:45 DietPi vaultwarden[14083]: [2021-12-15 10:43:45.235][parity_ws][INFO] Listening for new connections
 on 0.0.0.0:3012.
Dec 15 10:43:45 DietPi vaultwarden[14083]: [2021-12-15 10:43:45.243][start][INFO] Rocket has launched from http://0
.0.0.0:8001
Dec 15 10:44:45 DietPi vaultwarden[14083]: [2021-12-15 10:44:45.229][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:45:45 DietPi vaultwarden[14083]: [2021-12-15 10:45:45.230][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:46:45 DietPi vaultwarden[14083]: [2021-12-15 10:46:45.230][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins
Dec 15 10:47:45 DietPi vaultwarden[14083]: [2021-12-15 10:47:45.232][vaultwarden::api::core::two_factor][DEBUG] Sen
ding notifications for incomplete 2FA logins

What is it strange is that lines about listening new connections from http://0.0.0.0:8001 and the rocket has launched from. I thought Rocket didn’t have to start if I using the letsencrypt ssl mode.

The ssl is working fine because on other port where I have installed Home Assistant is working…

I run out of ideas…

maybe there is a misunderstanding. The above steps are used to setup a revers proxy on a web server to be able to connect to vaultwarden without any specific port needed. Means you could access vaultwarden like http://demo.com/vault/

Question is now what you exactly like to do?
How do you like to access vaultwarden?
What configuration you changed already?
Did you setup a revers proxy?

Just setup vaulwarden with ssl to access from a client app on my phone

From the client app

I did all the step on your above post
I change on vaulwarden.env this changes:

IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012

Commented this line #ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
On lighttpd I enable mod_proxy and added rule on proxy example regarding to lighttpd
Open tcp port on 8001

Yes

if you setup a revers proxy, why are you trying to access it via port number? myddns:8001 ?? How did you setup the revers proxy?

Because I don’t know what I am doing…

This is my config:

$HTTP["host"] == "my.ddns.net" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.1.3", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "https-remap" => "enable",
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.1.3", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = ( "https-remap" => "enable" )
    }
}

I had to say that I have in my router redirected port 443-> to another port where it is home assistant, I say it if it matters…
So if I go to my.ddns.net it went to home assistant login page, now it doesn’t I imagine because of the reverse proxy rule.

usually the idea of a revers proxy is to use this as gateway and to pass all https/http traffic via the proxy (including HomeAssistant).

It will looks like this graphic https://synaptica.info/wp-content/uploads/2021/04/reverse-proxy.png

Mens port 80/443 is forwarded to your proxy and not to an application directly. AS well the proxy is doing the SSL certificate handling, instead of managing certificates on each app.

But in your case, let’s keep it simple as is and have port 443 forwarded to HA.

To get vaultwarden accessible from outside world, just revert all changed you did. Activate https again and remove the proxy configuration.

I understand the proxy part now…

I revert it back the vaulwarden conf file, that I have backed up, and disable proxy mode, but still timed out

I reboot, and I can get in but without httpS

could you reboot your system and share following afterwards

journalctl -u vaultwarden.service

Good morning Joulinar,

This is the log:

root@DietPi:~# journalctl -u vaultwarden.service
-- Logs begin at Thu 2019-02-14 11:11:58 CET, end at Thu 2021-12-16 11:09:52 CET
. --
Dec 16 11:08:34 DietPi systemd[1]: Started vaultwarden Server (Rust Edition).
Dec 16 11:08:34 DietPi vaultwarden[2527]: /-------------------------------------
-------------------------------\
Dec 16 11:08:34 DietPi vaultwarden[2527]: |                        Starting Vaul
twarden                        |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |-------------------------------------
-------------------------------|
Dec 16 11:08:34 DietPi vaultwarden[2527]: | This is an *unofficial* Bitwarden im
plementation, DO NOT use the   |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | official channels to report bugs/fea
tures, regardless of client.   |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | Send usage/configuration questions o
r feature requests to:         |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |   https://vaultwarden.discourse.grou
p/                             |
Dec 16 11:08:34 DietPi vaultwarden[2527]: | Report suspected bugs/issues in the 
software itself at:            |
Dec 16 11:08:34 DietPi vaultwarden[2527]: |   https://github.com/dani-garcia/vau
ltwarden/issues/new            |
Dec 16 11:08:34 DietPi vaultwarden[2527]: \-------------------------------------
-------------------------------/
Dec 16 11:08:34 DietPi vaultwarden[2527]: [INFO] No .env file found.
Dec 16 11:08:35 DietPi vaultwarden[2527]: [2021-12-16 11:08:35.383][start][INFO]
 Rocket has launched from https://0.0.0.0:8001

Today I can acces with https, but it says firefox to make an exception, and it serves the page without httpS.

What I have to do to activate https?

on a default setup, vaultwarden is using self signed certificates. Usually they are not accepted by modern browser or Bitwarden App. But in FireFox it should be possible to accepted the risk and continue with an exception.

To get a correct and valid certificate, you would need to configure vaultwarden and set correct path to your certificate files.

ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}

I get it working now, with the proxy option, but as you said, then I don’t have the option of using myddns:port. And if I use that, the no port option the I loose pihole admin… I don’t know if that is a problem, but I would love to have everything without losing almos anything…

I could do that?

What you refer is to use the rocket ssl option as described in vaulwarden github no? They say is a bit inmature…

first you would need to make yourself clear how the final solution should looks like.

Do you like to use a revers proxy and configure all app to use it?
Or you you like to access each app individually, having each app configured by its own to support/provide SSL access?

Once you are clear, you could start working on it.

I think the best option is to use the reverse proxy, but without losing anyother thing like Pihole admin panel.

If I don’t use that option, Is there a way of not using Rocket to have SSL with lets encrypt and no reverse proxy? Like for example HA that uses a port?