Confused Reverse proxy and vaultwarden

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
Joulinar
Posts: 5996
Joined: Sat Nov 16, 2019 12:49 am

Re: Confused Reverse proxy and vaultwarden

Post by Joulinar »

of course you can use docker and container like NginxProxyManager or traefik but it's working without as well.

I did a test installation on 2 RPi. I used 2 devices just for testing. It's fine to host web server as well as vaultwarden on a single device.
  1. created a DDNS domain from a free provider
  2. activate regular DDNS update using dietpi-ddns
  3. RPi 1 is hosting web server lighttpd
  4. RPi 2 is hosting vaultwarden
  5. on RPi 2 I was going to disable HTTPS on vaultwarden

    Code: Select all

    nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env
  6. disable TLS

    Code: Select all

    #ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}
  7. next to this I enabled websocket notifications

    Code: Select all

    WEBSOCKET_ENABLED=true
    WEBSOCKET_ADDRESS=0.0.0.0
    WEBSOCKET_PORT=3012
  8. save the file and restart the service

    Code: Select all

    systemctl restart vaultwarden.service
  9. vaultwarden is reachable on HTTP now
  10. on RPi 1 I executed dietpi-letsencrypt and was going to install certbot
  11. once done I requested SSL certificate for my DDNS domain and activate redirect HTTP > HTTPS
  12. lighttpd is already reachable on HTTP/HTTPS now
  13. SSL certificate will be automatically renewed if required by certbot
  14. add proxy code to lighttpd

    Code: Select all

    nano /etc/lighttpd/conf-available/10-proxy.conf
  15. add following

    Code: Select all

    $HTTP["host"] == "your.ddns.com" {
        $HTTP["url"] == "/notifications/hub" {
           # WebSocket proxy
           proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
           proxy.forwarded = ( "for" => 1 )
           proxy.header = (
               "upgrade" => "enable",
               "connect" => "enable"
           )
        } else {
           proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
           proxy.forwarded = ( "for" => 1 )
        }
    }
  16. add correct DDNS host and IP address
  17. save file, activate setting and restart service

    Code: Select all

    lighty-enable-mod proxy
    service lighttpd force-reload
    systemctl restart lighttpd.service
  18. now, vaultwarden should be reachable via your.ddns.com
  19. testing with web browser and app was working fine,
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
permarco
Posts: 1
Joined: Wed Oct 20, 2021 6:45 pm

Re: Confused Reverse proxy and vaultwarden

Post by permarco »

Hi to all, sorry to reup the topic.

I followed the instructions from Joulinar and obtained a working Vaultwarden server accessible from my DDNS "site". The problem starts when i want to access other webapps on the server (in my case nextcloud), it seems that the above configuration redirects °all° the traffic to vaultwarden server. For example if I point the browser to "my.site/nextcloud" I receive a response from the vaultwarden ROCKET webserver. I read than the documentation in the vaultwarden github and found:
"To enable WebSockets notifications, an external reverse proxy is necessary, and it must be configured to do the following:

Route the /notifications/hub endpoint to the WebSocket server, by default at port 3012, making sure to pass the Connection and Upgrade headers. (Note the port can be changed with WEBSOCKET_PORT variable)
Route everything else, including /notifications/hub/negotiate, to the standard Rocket server, by default at port 80."
So, it seems to me that the 10-proxy configurations file is redirecting all the traffic to vaultwarden web server, my question is: is there a possible workaround to this using lighttpd? I tried to understand what the script really does but I'm confused about the
$HTTP["url"] == "/notifications/hub" {
string. Sorry for my enlish and thanks in advance!
Marco
User avatar
Joulinar
Posts: 5996
Joined: Sat Nov 16, 2019 12:49 am

Re: Confused Reverse proxy and vaultwarden

Post by Joulinar »

basically the config above is doing 3 thinks.
  1. it is reacting on a specific domain "your.ddns.com"
  2. request for sub folder "/notifications/hub" will be redirected to vaultwarden websocket notifications server on port 3012.
  3. all other request will be redirected to vaultwarden web server on port 8001
specifying nextcloud as sub folder will not have any effect as it will be covered by point 3 and forward the request to vaultwarden web server if using the specific domain "your.ddns.com". At least this is what I'm guessing as I'm not a revers proxy specialist.

Best would be if you reconfigure vaultwarden to work on a sub path. https://github.com/dani-garcia/vaultwar ... e-base-dir

This way it's possible to differentiate between nextcloud and vaultwarden. Proxy configuration would need to be adjusted as well to redirect according the sub path

Code: Select all

$HTTP["host"] == "dietpi.example.com" {
    $HTTP["url"] == "/notifications/hub" {
       # WebSocket proxy
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 3012 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "upgrade" => "enable",
           "connect" => "enable"
       )
    } else {
    $HTTP["url"] == "/vault" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "192.168.0.x", "port" => 8001 )))
       proxy.forwarded = ( "for" => 1 )
       }
    }
}
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply