Is there a way of not using Rocket to have SSL with lets encrypt and no reverse proxy?
maybe a misunderstanding
ROCKET_PORT and ROCKET_TLS are the parameter used to specify HTTP/S port + SSL certificate used by vaultwarden to enable SSL access. If you have any question for these parameter you might need to reach out to vaultwarden developer to get some deeper explanation.
Got it working Joulinar now…
Thank you so much as always!
maybe you like to share what you have done to get it working. Probably someone else might be interested in it as well 
Of course!
Just open tcp port 8001
and then from config file vaulwarden.env just modify the var:
ROCKET_TLS={certs="/etc/letsencrypt/live/yoururl.ddns.net/cert.pem",key="/etc/letsencrypt/live/yoururl.ddns.net/privkey.pem"}
let’s summarize
nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
change the following things
IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=> https://domain.com
#ROCKET_TLS={certs=“./cert.pem”,key=“./privkey.pem”}
nano /etc/lighttpd/conf-available/10-proxy.conf
I put this code on this one, remembering to put the IP of your dietpi
$HTTP["host"] == "domain.com" {
$HTTP["url"] =~ "^/notifications/hub($|/)" {
# WebSocket proxy
proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
proxy.forwarded = ("for" => 1 )
proxy.header = (
"upgrade" => "enable",
"connect" => "enable"
)
} else {
$HTTP["url"] =~ "^/vault($|/)" {
proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
proxy.forwarded = ("for" => 1 )
}
}
}
the access will be like this
domain.com/nextcloud
domain.com/vault/ (last slash MUST)
restart and it will be working
With this you will have access to both services anywhere without opening any port on your router
I hope someone can help me. I’ve been scratching my head with this for a couple of days now, in the end the solution I want to achieve is the same one as amibumpin, but despite following the same steps the vaultwarden service will not start when I change the ROCKET_TLS certs path. It just repeatedly spews out 2 errors:
“Logger failed to initialize: attempted to set a logger after the logging system was already initialized”
“[rocket::config::error][ERROR] I/O error while setting tls.certs:”
I’m fairly confident I’ve got things right upto this point, I have valid letsencrypt certs & my nextcloud is working flawlessly both local & from outside the network.
most probably vaultwarden is not able to read certificates due to permission issue. Basically you could copy certs on a place where vaultwarden is able to read them or you are going to allow vaultwarden access to the certs. Or as an alternative you use a revers proxy (the web server hosting NextCloud). This way HTTPS on vaultwarden could be disabled and no additional port would need to be open
Hi Joulinar,
Thanks for the response!
Do you know what the permissions should be? I’ve got the certs in the archive folder as anyone can view, only owner can change, the privkey is only owner can view or change. In the live folder the symlinks are viewable & changeable by anyone. I also tried creating symlinks in the /vaultwarden directory & changing owner of them to vaultwarden & changing the ROCKET_TLS path to use them instead, same issue regardless.
I’ve spent hours trying to set up reverse proxy (using lighttpd) & that is its whole own nightmare which isn’t giving me satisfactory results, I feel like I’m really close with the ROCKET_TLS solution.
Theoretically read permissions are fine. If I’m not mistaken it is the letsencrypt archive folder that has read for root user only. For testing you could change it to read for other users.
That did it, setting the permissions of the archive folder to let anyone view has resulted in the vaultwarden service now starting correctly & working from external 
.
Thanks so much!!
ok good it is working. But this is not the optimal result from security point of view, as now everybody who has access to your OS will be able to read your certificate
Hi!
I am trying to configure lighttpd as a reverse proxy as [Joulinar] and [IIMustangII1151] described very clearly but lighttpd doesn’t seem to work.
When i am trying to access domain.com/vault/ I get back a “404 Not Found” page…
The steps I followed:
(On a raspberry pi 4; model b. [DietPi: ARMv8])
I have configured my router to open ports 443, 80 (tcp & udp) and map with Pi’s mac address same ports (443 , 80)
Then:
nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
I changed the following things as:
P_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=https://subdomain.freedynamicdns.net
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
Then:
nano /etc/lighttpd/conf-available/10-proxy.conf
$HTTP["host"] == "subdomain.freedynamicdns.net" {
$HTTP["url"] =~ "^/notifications/hub($|/)" {
# WebSocket proxy
proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 3012 )))
proxy.forwarded = ("for" => 1 )
proxy.header = (
"upgrade" => "enable",
"connect" => "enable"
)
} else {
$HTTP["url"] =~ "^/vault($|/)" {
proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 8001 )))
proxy.forwarded = ("for" => 1 )
}
}
}
Then I restarted the two services.
When I hit h-t-t-p-s://subdomain.freedynamicdns.net I get lighttpd landing page.
Also I can access next cloud at h-t-t-p-s://subdomain.freedynamicdns.net/nextcloud without any problem.
I can assume that everything related to lets-encrypt and ddns works fine.
I can access my vaultwarden at raspberry pi’s ip: h-t-t-p-://192.168.pi.ip:8001 so vaultwarden is up and running.
But when I am trying to access h-t-t-p-s://subdomain.freedynamicdns.net/vault/ I get the error page:
(where subdomain is my domain)
I followed these instructions to try fix the error : Fix lighttpd 404 not found error
So I added on /etc/lighttpd/lighttpd.conf :
server.max-fds = 2048
#directory listing
dir-listing.activate = "enable"
dir-listing.hide-dotfiles = "enable"
dir-listing.encoding = "utf-8"
But the result is the same.
I tried to be as specific as I can during the whole configuration.
h-t-t-p-s format is because the forum rules do not permit more than one links.
I am also not sure if I have to rewrite something else. For example if I should replace $HTTP[“host”] with $HTTP[“something-else”]
Can anyone help me or guide me on how to investigate the issue?
Thank you in advance
Ok I figured it out.
My issue was that the proxy configuration was not “enabled”. That means that the 10-proxy.conf file was only at conf-available directory and not at conf-enabled.
To enable 10-proxy configuration you have to run this command:
sudo lighttpd-enable-mod proxy
So @ [IIMustangII1151] could you please add this command at the end of your summary?
Like described on my post above 
One note for future readers who uses vaultwarden next to some other services like nextcloud:
You need to add /vault/ to your DOMAIN= in /mnt/dietpi_userdata/vaultwarden/vaultwarden.env, like:
DOMAIN=https://your.domain.net/vault/
if you also use $HTTP["url"] =~ "^/vault($|/)" { in your lighttpd config.
If you don’t add it in this case you will get a 404 error when you try to reach your vaultwarden instance.
I think this needs to be also set for the notification hub $HTTP["url"] =~ "^/vault/notifications/hub($|/)" {
otherwise the service starts with an error message:
[vaultwarden::api::notifications][ERROR]
Dez 06 15:20:43 DietPi3B vaultwarden[1047523]: ###########################################################
Dez 06 15:20:43 DietPi3B vaultwarden[1047523]: '/notifications/hub' should be proxied to the websocket server or notifications won't work.
Dez 06 15:20:43 DietPi3B vaultwarden[1047523]: Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.