Vaultwarden on Apache2

Hi,

I searched the internet and this forum and I’m no wiser. So, once again, I’ve come to ask for help.

I have newest DietPi v8.0.2, running Nextcloud, Pi-Hole, Apache2 and some other unrelated software.

I wanted to give Vaultwarden a try, but am not able to make it work with my LetsEncrypt certificate.

My goal is have it available on https://niaz.site:8001, for external use with apps. I don’t need or want any redirects, just working it on exactly that address.

After installation of VW I tried it’s functionality with selfsigned certificate, everything was fine.

So I commented Rocket stuff in /mnt/dietpi_userdata/vaultwarden/vaultwarden.env and added to /etc/apache2/sites-available/000-default-le-ssl.conf this:

<VirtualHost *:8001>
    ServerName niaz.site
	DocumentRoot /mnt/dietpi_userdata/vaultwarden/web-vault
	ErrorLog ${APACHE_LOG_DIR}/bitwarden-error.log
	#CustomLog ${APACHE_LOG_DIR}/bitwarden-access.log combined

    SSLCertificateFile /etc/letsencrypt/live/niaz.site/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/niaz.site/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

This gave me Forbidden You don’t have permission to access this resource. page. So I added to /etc/apache2/apache2.conf this:

<Directory /mnt/dietpi_userdata/vaultwarden/web-vault>
	DirectoryIndex index.php index.html
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

Now the VW page is nicely available, but can’t connect to the account I made before. When I try to log in I get red notification:

An error has occurred. An unexpected error has occurred.

When I try to make a new account on this config, I get red notification stating:

An error has occurred.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.52 (Debian) Server at 10.11.0.100 Port 8001</address> </body></html>

Can you please help me figure out, where I screwed up? :slight_smile:

Pls revert all changes you have done. Basically you have 2 options.

First one would be to configure VW to use the letsencrypt certificate directly. This would need to be done one VW configuration file. Still VW would be reachable on the original port 8001.

Second opinion would be to configure Apache to work as revers proxy. This would reduce the number of ports to be open if you like VW to be reachable from internet. VW would be reachable on normal web server ports 80/443.

You would need to decide first, which option you like to use.

Okay, reverted.

In second choice, how would it work with my Nextcloud, which I currently run on completely random port?

Means Apache is not running on port 80/443. Or did you create a vhost for Nextloud only? Usually it should be possible to reuse it or to create an own vhost configuration.

There are 2 example for Apache revers proxy configuration https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples

My /etc/apache2/sites-available/000-default-le-ssl.conf looks like this

<IfModule mod_ssl.c>
<VirtualHost *:10443>
    ServerName niaz.site
	DocumentRoot /var/www
	ErrorLog ${APACHE_LOG_DIR}/error.log
	#CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/niaz.site/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/niaz.site/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
</IfModule>

Then I access Nextcloud on https://niaz.site:10443/nextcloud

again 2 options

create an own vhost configuration with another own random port

or

reuse the existing vhost for nextcloud and add a location config for VW. This would require to enable sub path on VW config.

create an own vhost configuration with another own random port

That’s what I was aiming for originally but failed. :slight_smile:

did you checked the configuration example on the VW Github I posted above? I guess the example Apache (by fbartels) might gonna fit. (server name and port to be adjusted). But this might require a 2nd certificate if you are going for sub domain.

Have a look into the 2nd example Apache in a sub-location (by ss89) if you prefer using a sub path.

That’s the configuration I was coming from. I thought I have the knowledge to make it work, but I was wrong.

My goal was to not have it as subdomain, just accessible on different port. I’ll try to read more on how it works.

on the configuration your shared, you tried to change DocumentRoot to the VW directory. This of course is not working because VW is not a web server application like NextCloud. It’s an own app providing an own http server. Means, you need to proxy request to VW via a revers proxy functionality.

Like this

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /notifications/hub(.*) ws://<SERVER>:3012/$1 [P,L]
    ProxyPass / http://<SERVER>:80/

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

or with sub path

    <Location /$sublocation/> #adjust here if necessary
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /notifications/hub(.*) ws://<SERVER>:3012/$1 [P,L]
        ProxyPass http://<SERVER>:80/$sublocation/

        ProxyPreserveHost On
        RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    </Location>

I think I’m not smart enough for this.

Where do I define the port for VW? Because my understanding is, that for reverse proxy solution rocket should be commented, right?

Or should ROCKET_PORT=8001 still be set?

basically it is similar to this small how to https://dietpi.com/forum/t/confused-reverse-proxy-and-vaultwarden/5762/21

On the point where it comes to web server config, you need to add Apache revers proxy config like the examples on VW Wiki

Ok, uncommented and set the websockets rules, also rocket port.

Now, should I add the Apache revers proxy config to existing config or create new? If new one, should I define it somewhere or will apache udnerstand it?

I would need to do some testing how the config needs to looks like. Personally I don’t have Apache + VW running at the moment, give me some time.

Of course, it’s not pressing issue.

I’m gonna be (and am) trying myself. Maybe I’m gonna have an heureka moment, but doubt it. :smiley: