So can i install frp or nginx using the dietpi-software installer?
Is there a guide for dietpi on how to set these up for vaultwarden?
Use Nginx via our installer. I would recommend using dietpi-letsencrypt to setup SSL on Nginx next. Once done you could configure the proxy for Vaultwarden
We don’t have a direct guide. Just have a look to proxy example on Vaultwarden GitHub Proxy examples · dani-garcia/vaultwarden Wiki · GitHub You could use them as starting point.
should i be modifying the file located at /etc/nginx/nginx.conf ?
No, don’t touch the main configuration file. Better to create an own configuration at /etc/nginx/sites-dietpi/*.conf;
I tried this in the directory you recommended, it still doesn’t work. Did i miss anything out?
server {
listen 443 ssl http2;
server_name myddnsname.ddnsprovider.com;
ssl_certificate /etc/letsencrypt/live/myddnsname.ddnsprovider.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myddnsname.ddnsprovider.com/privkey.pem;
# Specify SSL config if using a shared one.
#include conf.d/ssl/ssl.conf;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:80;
}
}
also my vaultwarden is only listening to port 8001, not sure what i did wrong there,
dietpi@DietPi:~$ ss -tulpn | grep LISTEN
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 1024 0.0.0.0:8001 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
the whole server block is not needed. should be fine to use location section only. As well you need to disable HTTPS on vaultwarden, to allow HTTP connection. We did something similar for lighttpd Confused Reverse proxy and vaultwarden - #45 by IIMustangII1151 and Confused Reverse proxy and vaultwarden - #21 by Joulinar
nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
change the following things
IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=> [https://domain.com](https://domain.com/)
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
the domain line must look exactly like this?
I did DOMAIN=https://myadd.ddnsprovider.com,
now the vaultwarden log shows,
Dec 18 22:49:02 DietPi vaultwarden[485]: [2022-12-18 22:49:02.312][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
Dec 18 22:49:02 DietPi vaultwarden[485]: [2022-12-18 22:49:02.325][start][INFO] Rocket has launched from http://0.0.0.0:8001
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.940][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59194
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.942][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59195
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.953][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59196
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.955][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59197
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.956][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59198
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.958][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59200
Dec 18 22:50:05 DietPi vaultwarden[485]: [2022-12-18 22:50:05.983][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59204
Dec 18 22:50:05 DietPi vaultwarden[485]: [2022-12-18 22:50:05.985][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59205
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.098][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59206
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.100][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59207
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.120][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59208
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.120][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59209
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.122][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59211
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.123][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59212
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.913][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59214
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.915][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59215
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.921][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59216
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.923][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59217
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.923][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59218
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.925][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59220
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.945][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59228
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.947][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59229
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.955][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59230
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.956][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59231
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.957][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59233
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.958][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59234
Played with it. At least I don’t have these entries on my log. But it’s information only about connection from local IP 192.168.1.99
that should be fine. Are you able to access Vaultwarden locally using http://you.ip.address:8001 now??
My Nginx setup as follow
nano /etc/nginx/sites-dietpi/vaultwarden.conf
added following
location / {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://you.ip.address:8001;
}
location /notifications/hub/negotiate {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://you.ip.address:8001;
}
location /notifications/hub {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://you.ip.address:3012;
}
next, remove root locating from default config file to avoid duplicate location /
nano /etc/nginx/sites-available/default
mark lines for location / using #
# location / {
# try_files $uri $uri/ =404;
# }
Restart Nginx and you should be done
systemctl restart nginx.service
I have done all the steps, I can access it locally but the site pops up as untrusted. I need to forward the port so I can use it on the bitwarden app, I am guessing external is 8080 and internal is 8001 right?
There should be no need to use a port at all. If using the reverse proxy, site should be reachable on default web server port 80:443, which needs to be forwarded to your proxy device.
so with this method i should be able to use the ios app? ill try again with a fresh install
Ok so I did the following things after reinstalling dietpi.
First I installed vaultwarden and certbot.
Then I sudo nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env and I only changed,
IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=https://mydomain.ddnsprovider.com
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
Then I created a file at /etc/nginx/sites-dietpi/vaultwarden.conf and this is the full content of the file,
location / {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://mydomain.ddnsprovider.com:8001;
}
location /notifications/hub/negotiate {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://mydomain.ddnsprovider.com:8001;
}
location /notifications/hub {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://mydomain.ddnsprovider.com:3012;
}
Then I went to sudo nano /etc/nginx/sites-available/default and commented the following lines
# location / {
# try_files $uri $uri/ =404;
# }
Then I ran sudo dietpi-letsencrypt, filled in https://mydomain.ddnsprovider.com and my email and enabled https, created the certs but it failed because it said some port was blocked. So, I opened ports 80 and 443 on my router and forwarded them to my pi and ran the command again. It worked and the certs were created successfully. Then I restarted my pi.
Now if I go to, 192.168.1.90, the address of my pi, I get this instead of the bitwarden login page,
404 Not Found
---
nginx
And If i go to https://mydomain.ddnsprovider.com, I get this,
502 Bad Gateway
nginx
When I close the ports on the router, the url can’t even be reached.
I don’t think I’ve set up the reverse proxy properly.
No idea what to do now.
Here are the vaultwarden logs,
Dec 19 15:54:56 DietPi vaultwarden[493]: [INFO] No .env file found.
Dec 19 15:54:56 DietPi vaultwarden[493]: [2022-12-19 15:54:56.547][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
Dec 19 15:54:56 DietPi vaultwarden[493]: [2022-12-19 15:54:56.593][_][WARN] Detected TLS-enabled liftoff without enabling HSTS.
Dec 19 15:54:56 DietPi vaultwarden[493]: [2022-12-19 15:54:56.593][_][WARN] Shield has enabled a default HSTS policy.
Dec 19 15:54:56 DietPi vaultwarden[493]: [2022-12-19 15:54:56.593][start][INFO] Rocket has launched from https://0.0.0.0:8001
Dec 19 15:55:13 DietPi vaultwarden[493]: [2022-12-19 15:55:13.325][rocket_http::tls::listener][WARN] tls handshake with 192.168.1.99:63287 failed: received corrupt message
Dec 19 15:55:13 DietPi vaultwarden[493]: [2022-12-19 15:55:13.329][rocket_http::tls::listener][WARN] tls handshake with 192.168.1.99:63288 failed: received corrupt message
Dec 19 15:55:14 DietPi vaultwarden[493]: [2022-12-19 15:55:14.367][rocket_http::tls::listener][WARN] tls handshake with 192.168.1.99:63289 failed: received corrupt message
Dec 19 15:55:14 DietPi vaultwarden[493]: [2022-12-19 15:55:14.371][rocket_http::tls::listener][WARN] tls handshake with 192.168.1.99:63290 failed: received corrupt message
Dec 19 15:56:26 DietPi vaultwarden[493]: [2022-12-19 15:56:26.432][rocket_http::tls::listener][WARN] tls handshake with 192.168.1.99:63291 failed: tls handshake eof
Locally you still have to request the websocket port 8001
http://192.168.1.90:8001 should work.
For external access you use your domain and the reverse proxy, to get to the site without using the port in the URL.
This is expected since you are not able to reach the webserver anymore. If you call a domain you make a request to the related IP on port 80/443. If you close the ports the webserver can not respond to this requests. These ports must stay forwarded.
And I think you get a 502 because of your wrong vaultwarden.conf.
proxy_pass https://mydomain.ddnsprovider.com:8001; should be
proxy_pass http://192.168.1.90:8001;
So http and not https and the local IP of the device and not your domain
ALso set this for the notification hub with port 3012.
Port 80:443 would need to be open all the time. Otherwise, your revers proxy is not working. As well you are not able to refresh certificates once needed. It’s key to forward them from router to DietPi
Yes, you set incorrect proxy_pass https://mydomain.ddnsprovider.com:8001; inside the Nginx configuration file. It would need to be the local IP address of your system, instead of the DDNS name. If both, Nginx and Vaultwarden, running on same system., it could be localhost IP http://127.0.0.1:8001 as well. You need to adjust this 3 times inside config file.
Always use the DDNS address and not the local IP, because your need to pass the proxy to get the valid certificate. Using IP address will not work on HTTPS ans this is what is needed for Vaultwarden to work. Using HTTP will result in issues, as Vaultwarden might reject the access 
So I changed all the ips to http://127.0.0.1 and I got the same error, so i tried https://127.0.0.1 and it works now on the internet under https. thanks!
I have one last question, is there anyway to access it locally so I don’t have to expose it to the internet? Because I have a wireguard server on another computer and it would make it more secure.
that would be surprising since you have https disabled on Vaultwarden? You have not?
You need to get yourself clear what setup you like to go with.
- If you like an official SSL certificate and the possibility to access Vaultwarden from internet without using VPN, you need to expose port 80:443.
- If you like to access via VPN only and there is no need for direct internet access, we could have skipped the whole exercise of setting up a revers proxy and you could stay with the initial setup.
I am not sure if I have disabled https on vaultwarden, I did all the steps I listed above.
Sorry, I did not realize they were going to be different methods. I am glad that it works like this. But I was hoping that I could eventually only access it using iOS or another laptop while my wireguard VPN was connected to the same network.
Is that actually possible? Because with the initial setup there was no cert issued and the app wouldn’t let me connect.
You could have told this at the very beginning as we went to a completely different road now. We could have saved a lot of time. 
On iOS you need to import the DietPi self-singed certificate manually. Otherwise, iOS is rejecting the access.
Yes, you can access Vaultwarden locally without the need to having a revers proxy, official SSL certifactes aso. Just have a look to our online docs Cloud and Backup Systems Software Options - DietPi.com Docs There is a blue box at the bottom of Vaultwarden section, describing how to import certificate into macOS. For iOS you could search the web. There as well you can import self-singed cert.
Ok thanks! I think in that case I will stick to the internet method instead of the vpn method. Manually doing the certificates is a pain.
One by the way if I want to do regular backups of the data, I should backup the /mnt/dietpi_userdata/vaultwarden/ folder correct?