Confused Reverse proxy and vaultwarden

Is there a way of not using Rocket to have SSL with lets encrypt and no reverse proxy?

maybe a misunderstanding

ROCKET_PORT and ROCKET_TLS are the parameter used to specify HTTP/S port + SSL certificate used by vaultwarden to enable SSL access. If you have any question for these parameter you might need to reach out to vaultwarden developer to get some deeper explanation.

Got it working Joulinar now…

Thank you so much as always!

maybe you like to share what you have done to get it working. Probably someone else might be interested in it as well :wink:

Of course!

Just open tcp port 8001

and then from config file vaulwarden.env just modify the var:

ROCKET_TLS={certs="/etc/letsencrypt/live/yoururl.ddns.net/cert.pem",key="/etc/letsencrypt/live/yoururl.ddns.net/privkey.pem"}

let’s summarize

  • I install nextcloud and vaultwarden


  • using web server lighttpd


  • I create a domain in duckdns


  • enable DDNS with dietpi-ddns


  • create cert with dietpi-letsencrypt and enable HTTPS


nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

change the following things

IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=> https://domain.com
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}


nano /etc/lighttpd/conf-available/10-proxy.conf

I put this code on this one, remembering to put the IP of your dietpi

$HTTP["host"] == "domain.com" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ("for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ("for" => 1 )
       }
    }
}

the access will be like this

domain.com/nextcloud
domain.com/vault/ (last slash MUST)

restart and it will be working

With this you will have access to both services anywhere without opening any port on your router

1 Like

I hope someone can help me. I’ve been scratching my head with this for a couple of days now, in the end the solution I want to achieve is the same one as amibumpin, but despite following the same steps the vaultwarden service will not start when I change the ROCKET_TLS certs path. It just repeatedly spews out 2 errors:
“Logger failed to initialize: attempted to set a logger after the logging system was already initialized”
“[rocket::config::error][ERROR] I/O error while setting tls.certs:”

I’m fairly confident I’ve got things right upto this point, I have valid letsencrypt certs & my nextcloud is working flawlessly both local & from outside the network.

most probably vaultwarden is not able to read certificates due to permission issue. Basically you could copy certs on a place where vaultwarden is able to read them or you are going to allow vaultwarden access to the certs. Or as an alternative you use a revers proxy (the web server hosting NextCloud). This way HTTPS on vaultwarden could be disabled and no additional port would need to be open

Hi Joulinar,

Thanks for the response!

Do you know what the permissions should be? I’ve got the certs in the archive folder as anyone can view, only owner can change, the privkey is only owner can view or change. In the live folder the symlinks are viewable & changeable by anyone. I also tried creating symlinks in the /vaultwarden directory & changing owner of them to vaultwarden & changing the ROCKET_TLS path to use them instead, same issue regardless.

I’ve spent hours trying to set up reverse proxy (using lighttpd) & that is its whole own nightmare which isn’t giving me satisfactory results, I feel like I’m really close with the ROCKET_TLS solution.

Theoretically read permissions are fine. If I’m not mistaken it is the letsencrypt archive folder that has read for root user only. For testing you could change it to read for other users.

That did it, setting the permissions of the archive folder to let anyone view has resulted in the vaultwarden service now starting correctly & working from external :smiley: .

Thanks so much!!

ok good it is working. But this is not the optimal result from security point of view, as now everybody who has access to your OS will be able to read your certificate :wink:

Hi!
I am trying to configure lighttpd as a reverse proxy as [Joulinar] and [IIMustangII1151] described very clearly but lighttpd doesn’t seem to work.

When i am trying to access domain.com/vault/ I get back a “404 Not Found” page…

The steps I followed:
(On a raspberry pi 4; model b. [DietPi: ARMv8])

  • install vaultwarden, lighttpd
  • install nextcloud
  • I already have a domain in no-ip. My domain is like: subdomain.freedynamicdns. net
  • I have already configured DDNS on my Router, not on my Pi.
  • I created cers with dietpi-letsencrypt. (Force redirect http->https : ON. HSTS: OFF, OCSP: OFF)

I have configured my router to open ports 443, 80 (tcp & udp) and map with Pi’s mac address same ports (443 , 80)

Then:

nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

I changed the following things as:

P_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=https://subdomain.freedynamicdns.net
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}

Then:

nano /etc/lighttpd/conf-available/10-proxy.conf
$HTTP["host"] == "subdomain.freedynamicdns.net" {
    $HTTP["url"] =~ "^/notifications/hub($|/)" {
       # WebSocket proxy
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 3012 )))
       proxy.forwarded = ("for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] =~ "^/vault($|/)" {
       proxy.server = ( "" => ("vaultwarden" => ( "host" => "***192.168.pi.ip***", "port" => 8001 )))
       proxy.forwarded = ("for" => 1 )
       }
    }
}

Then I restarted the two services.

When I hit h-t-t-p-s://subdomain.freedynamicdns.net I get lighttpd landing page.

Also I can access next cloud at h-t-t-p-s://subdomain.freedynamicdns.net/nextcloud without any problem.

I can assume that everything related to lets-encrypt and ddns works fine.

I can access my vaultwarden at raspberry pi’s ip: h-t-t-p-://192.168.pi.ip:8001 so vaultwarden is up and running.

But when I am trying to access h-t-t-p-s://subdomain.freedynamicdns.net/vault/ I get the error page:

image

(where subdomain is my domain)

I followed these instructions to try fix the error : Fix lighttpd 404 not found error

So I added on /etc/lighttpd/lighttpd.conf :

server.max-fds = 2048

#directory listing
dir-listing.activate = "enable"
dir-listing.hide-dotfiles = "enable"
dir-listing.encoding = "utf-8"

But the result is the same.

I tried to be as specific as I can during the whole configuration.
h-t-t-p-s format is because the forum rules do not permit more than one links.
I am also not sure if I have to rewrite something else. For example if I should replace $HTTP[“host”] with $HTTP[“something-else”]

Can anyone help me or guide me on how to investigate the issue?
Thank you in advance

Ok I figured it out.

My issue was that the proxy configuration was not “enabled”. That means that the 10-proxy.conf file was only at conf-available directory and not at conf-enabled.

To enable 10-proxy configuration you have to run this command:

sudo lighttpd-enable-mod proxy

So @ [IIMustangII1151] could you please add this command at the end of your summary?

Like described on my post above :wink:

1 Like