Confused Reverse proxy and vaultwarden

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
jmf
Posts: 10
Joined: Fri Sep 24, 2021 1:38 pm

Re: Confused Reverse proxy and vaultwarden

Post by jmf »

Joulinar wrote: Fri Sep 24, 2021 3:31 pm pls share your config file

BTW: Is there a strong need to lighttpd? It's not the best choice for a revers proxy
I fixed the server by replacing <SERVER> with my local IP address but the app on my phone still gives me

Code: Select all

"Exception message: Hostname (removed my url) not verified: certificate DN: CN DietPi Vaultwarden subjectAltNames [192.168.15.6, and my Server name].
I'm newish to linux and lighttpd was just installed automatically with the apps. Would I have to do heaps of config to use Apache instead?

Here is my config file:

Code: Select all

# /usr/share/doc/lighttpd/proxy.txt

server.modules   += ( "mod_proxy" )

## Balance algorithm, possible values are: "hash", "round-robin" or "fair" (default)
# proxy.balance     = "hash"


## Redirect all queries to files ending with ".php" to 192.168.0.101:80
#proxy.server     = ( ".php" =>
#                     (
#                       ( "host" => "192.168.0.101",
#                         "port" => 80
#                       )
#                     )
#                    )

## Redirect all connections on www.example.com to 10.0.0.1{0,1,2,3}
#$HTTP["host"] == "www.example.com" {
#  proxy.balance = "hash"
#  proxy.server  = ( "" => ( ( "host" => "10.0.0.10" ),
#                            ( "host" => "10.0.0.11" ),
#                            ( "host" => "10.0.0.12" ),
#                            ( "host" => "10.0.0.13" ) ) )
#}

$HTTP["host"] == "mydomain.dynu.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.15.6", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "https-remap" => "enable",
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.15.6", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = ( "https-remap" => "enable" )
    }
}
User avatar
Joulinar
Posts: 6000
Joined: Sat Nov 16, 2019 12:49 am

Re: Confused Reverse proxy and vaultwarden

Post by Joulinar »

looks like your app did not accept the SSL certificate which is logic as the certificate is a self signed one.

Question: do you plan to access vaultwarden from internet or from local only.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
jmf
Posts: 10
Joined: Fri Sep 24, 2021 1:38 pm

Re: Confused Reverse proxy and vaultwarden

Post by jmf »

jmf wrote: Fri Sep 24, 2021 2:56 pm
Joulinar wrote: Fri Sep 24, 2021 2:47 pm into which file you have added the configuration?

Could you share following pls

Code: Select all

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
There's no output. I deleted the entries that I copied from the site I mentioned when lighttpd couldn't restart
I would like to access my passwords etc when not at home.
User avatar
MichaIng
Site Admin
Posts: 3357
Joined: Sat Nov 18, 2017 6:21 pm

Re: Confused Reverse proxy and vaultwarden

Post by MichaIng »

Then I suggest to apply a public TLS certificate, e.g. via dietpi-letsencrypt and apply this to vaultwarden as well. This way you also avoid the process of importing the certificate into the client's OS CA store.
User avatar
Joulinar
Posts: 6000
Joined: Sat Nov 16, 2019 12:49 am

Re: Confused Reverse proxy and vaultwarden

Post by Joulinar »

Or to have the certificate on lighttpd only and switch vaultwarden to HTTP ?

Something I would need to test if it is working this way.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
jmf
Posts: 10
Joined: Fri Sep 24, 2021 1:38 pm

Re: Confused Reverse proxy and vaultwarden

Post by jmf »

Joulinar wrote: Fri Sep 24, 2021 6:53 pm Or to have the certificate on lighttpd only and switch vaultwarden to HTTP ?

Something I would need to test if it is working this way.
MichaIng wrote: Fri Sep 24, 2021 5:12 pm Then I suggest to apply a public TLS certificate, e.g. via dietpi-letsencrypt and apply this to vaultwarden as well. This way you also avoid the process of importing the certificate into the client's OS CA store.
I decided to purchase a domain name and SSL from name cheap that allows a records to dynamically update.

Sorry I'm fairly new to this, how do I setup dietpi-letsencrypt and vaultwardem with this SSL?
User avatar
Joulinar
Posts: 6000
Joined: Sat Nov 16, 2019 12:49 am

Re: Confused Reverse proxy and vaultwarden

Post by Joulinar »

I don't think it was needed to purchase anything. There are quite some free DDNS provider available.

to use dietpi-letsencrypt, you would need to forward port 80/443 from your router to your DietPi system. Once done run command dietpi-letsencrypt from command line and enter your data to generate your SSL certificate.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
jmf
Posts: 10
Joined: Fri Sep 24, 2021 1:38 pm

Re: Confused Reverse proxy and vaultwarden

Post by jmf »

Joulinar wrote: Sun Sep 26, 2021 11:27 pm I don't think it was needed to purchase anything. There are quite some free DDNS provider available.

to use dietpi-letsencrypt, you would need to forward port 80/443 from your router to your DietPi system. Once done run command dietpi-letsencrypt from command line and enter your data to generate your SSL certificate.

Sorry for sounding dumb. I used to work in IT years ago before I got sick and I've forgotten all my nix stuff.

I've created my own cert but the vaultwarden doesn't like it. I was following MichaIng reply that said I need to apply for a public one.

How do I use my public SSL on my local system?
User avatar
murphydoe
Posts: 10
Joined: Tue May 04, 2021 7:22 am

Re: Confused Reverse proxy and vaultwarden

Post by murphydoe »

I've also been trying for a while to get my own certificate to run locally.
unfortunately nothing.
Now it works with nginx proxy manager.
Nginx with docker and forward there via the open port.
But it only works if no other service uses port 80/443
my tip: use an extra raspy for your project.
i installed docker with dietpi and then added the docker images nginx and vaultwarden.
everything in 10 minutes.
jmf
Posts: 10
Joined: Fri Sep 24, 2021 1:38 pm

Re: Confused Reverse proxy and vaultwarden

Post by jmf »

murphydoe wrote: Mon Sep 27, 2021 7:18 am I've also been trying for a while to get my own certificate to run locally.
unfortunately nothing.
Now it works with nginx proxy manager.
Nginx with docker and forward there via the open port.
But it only works if no other service uses port 80/443
my tip: use an extra raspy for your project.
i installed docker with dietpi and then added the docker images nginx and vaultwarden.
everything in 10 minutes.
Thanks for your reply. I just found this https://www.youtube.com/watch?v=b83S_N1kkJM https://dbtechreviews.com/2020/04/how-t ... nd-docker/
Post Reply