Vaultwarden using Docker Compose with existing Certificates

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨Lobotomie@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hello Friends,

I have a small ubuntu Server and I finally also want to transfer my Vaultwarden Instance to it. On this Server I have several services running (homeassistant, …) and Certbot via Dehydrated (right now I get a certificate for my duckdns address). In some directory I have the privkey and fullchain files.

Now my Problem is that when I start vaultwarden it wont load as https.

I believe, my Problem is telling Vaultwarden, where my certificate files are located so it can use them accordingly.

This is my Compose File right now:

vaultwarden: container_name: vaultwarden image: vaultwarden/server:latest restart: unless-stopped volumes: - /home/vaultwarden:/data/ - /home/(directory to my certificates):/usr/share/ca-certificates/ ports: - 8129:80 environment: - DOMAIN=hurrdurr.duckdns.org - LOGIN_RATELIMIT_MAX_BURST=10 - LOGIN_RATELIMIT_SECONDS=60 - ADMIN_RATELIMIT_MAX_BURST=10 - ADMIN_RATELIMIT_SECONDS=60 - ADMIN_TOKEN=token - SENDS_ALLOWED=true - EMERGENCY_ACCESS_ALLOWED=true - WEB_VAULT_ENABLED=true - SIGNUPS_ALLOWED=true

The Volume Mapping to the certificates was just me trying it out so maybe its working if I map it like that.

If I open the 8129 in my Browser it will just time out. I also managed it to start but it wouldnt let me register as theres not https certificate.

source

Comments

Sort:hotnew top

Kangie@lemmy.srcfiles.zip ⁨8⁩ ⁨months⁩ ago

Here’s the secret to stuff like this:

Run a single reverse proxy / edge router for all of your containerised services.

I recommend Traefik - gitlab.com/…/traefik-grafana-prometheus-docker

You can configure services with labels attached to the container and (almost) never expose ports directly. It also lets you host an arbitrary number of services listening on 80/443.

An example config might look like this:

# docker-compose.yml
version: '3.9'

services:
  bitwarden:
    image: vaultwarden/server:latest
    restart: always
    volumes:
      - /data/vaultwarden/:/data
    environment:
#      - ADMIN_TOKEN=
      - WEBSOCKET_ENABLED=true
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencrypt
      - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
      - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
      - traefik.http.routers.bitwarden-ui-https.rule=Host(`my.domain.com`)
      - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-ui-https.tls=true
      - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
      - traefik.http.routers.bitwarden-ui-http.rule=Host(`my.domain.com`)
      - traefik.http.routers.bitwarden-ui-http.entrypoints=web
      - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
      - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
      - traefik.http.routers.bitwarden-websocket-https.rule=Host(`my.domain.com) &amp;&amp; Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-websocket-https.tls=true
      - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
      - traefik.http.routers.bitwarden-websocket-http.rule=Host(`my.domain.com`) &amp;&amp; Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
      - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
      - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012

source

emhl@feddit.de ⁨8⁩ ⁨months⁩ ago
Using traefik as your first reverse proxy might be a bit daunting. Caddy or “nginx reverse proxy” are much easier to configure.

source
- 7Sea_Sailor@lemmy.dbzer0.com ⁨8⁩ ⁨months⁩ ago
  If you want it beginner friendly, I can recommend nginx proxy Manager, which is basically a web ui frontend for nginx. This has its own drawbacks, but makes setup very uncomplicated.
  
  source
  - -> View More Comments

dandroid@dandroid.app ⁨8⁩ ⁨months⁩ ago
Seconding a reverse proxy. Once you have it set up, it’s trivial to add a subdomain, forward it to your internal port that your container is exposing, then use certbot or whatever to get a new certificate for that subdomain.

I just use apache because I heavily use it for work, so I already know it well. But lots of people swear by nginx as well. There are lots of other options as well.

source
- lemmyvore@feddit.nl ⁨8⁩ ⁨months⁩ ago
  No need to get a certificate for ever subdomain, you can get a wildcard cert for *.your. domain.
  
  source
  - dandroid@dandroid.app ⁨8⁩ ⁨months⁩ ago
    True. I did that for one of my domains, but it was really quite annoying to do with certbot, as you needed some sort of plugin.
    
    source
    -> View More Comments
- klangcola@reddthat.com ⁨8⁩ ⁨months⁩ ago
  Thirding a reverse proxy. Probably Nginx Proxy Manager (NPM) is the easiest reverse proxy to get started with, if you don’t want to deal with plain nginx config files
  
  source

Decronym@lemmy.decronym.xyz ⁨8⁩ ⁨months⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption
nginx	Popular HTTP server

[Thread #129 for this sub, first seen 11th Sep 2023, 03:25] [FAQ] [Full list] [Contact] [Source code]

source

giddy@aussie.zone ⁨8⁩ ⁨months⁩ ago

I use Nginx Proxy Manager to reverse proxy all my services including Vaultwarden -

Setup in NPM -

Open Nginx Proxy Manager Admin Portal
Click Proxy Hosts
Click Add Proxy Host
Fill in the details
    Details tab
        Domain Names - vault.your.domain
        Scheme - http
        Forward Hostname/IP - vaultwarden (this should be the name of your vw container)
        Forward Port - 80
        Tick Block Common Exploits
        Tick Websockets Support
        Access List - Publicly Accessible
    Custom locations tab
        Add the following locations
            location 1
                location - /notifications/hub
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 3012
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header X-Real-IP $remote_addr;
            location 2
                location - /notifications/hub/negotiate
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 80
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
            location 3
                location - /
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 80
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
    SSL tab
        SSL Certificate - Request a new SSL Certificate
        tick Use a DNS Challenge (or just expose port 80 if you accept the risk)
        DNS Provider - Dynu (this is my dyndns provider)
        Credentials File Content - replace YOUR_DYNU_AUTH_TOKEN with the API key from https://www.dynu.com/en-US/ControlPanel/APICredentials
        Email Address for Let's Encrypt - your email
        Tick I Agree to the Let's Encrypt Terms of Service
Click Save
Vaultwarden should now be accessible via https://vault.your.domain

source

Lobotomie@lemmy.world ⁨7⁩ ⁨months⁩ ago
Can I send you a pm regarding my progress so far? I’m kind off stuck at configuring everything:/

source