Vaultwarden using Docker Compose with existing Certificates

Comments

• Kangie@lemmy.srcfiles.zip ⁨1⁩ ⁨year⁩ ago

  Here’s the secret to stuff like this:

  Run a single reverse proxy / edge router for all of your containerised services.

  I recommend Traefik - gitlab.com/…/traefik-grafana-prometheus-docker

  You can configure services with labels attached to the container and (almost) never expose ports directly. It also lets you host an arbitrary number of services listening on 80/443.

  An example config might look like this:

  # docker-compose.yml
  version: '3.9'
  
  services:
    bitwarden:
      image: vaultwarden/server:latest
      restart: always
      volumes:
        - /data/vaultwarden/:/data
      environment:
  #      - ADMIN_TOKEN=
        - WEBSOCKET_ENABLED=true
      networks:
        - proxy
      labels:
        - traefik.enable=true
        - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencrypt
        - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
        - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
        - traefik.http.routers.bitwarden-ui-https.rule=Host(`my.domain.com`)
        - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
        - traefik.http.routers.bitwarden-ui-https.tls=true
        - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
        - traefik.http.routers.bitwarden-ui-http.rule=Host(`my.domain.com`)
        - traefik.http.routers.bitwarden-ui-http.entrypoints=web
        - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
        - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
        - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
        - traefik.http.routers.bitwarden-websocket-https.rule=Host(`my.domain.com) && Path(`/notifications/hub`)
        - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
        - traefik.http.routers.bitwarden-websocket-https.tls=true
        - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
        - traefik.http.routers.bitwarden-websocket-http.rule=Host(`my.domain.com`) && Path(`/notifications/hub`)
        - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
        - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
        - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
        - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
  

  source

  • emhl@feddit.de ⁨1⁩ ⁨year⁩ ago

    Using traefik as your first reverse proxy might be a bit daunting. Caddy or “nginx reverse proxy” are much easier to configure.

    source

    • 7Sea_Sailor@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

      If you want it beginner friendly, I can recommend nginx proxy Manager, which is basically a web ui frontend for nginx. This has its own drawbacks, but makes setup very uncomplicated.

      source

      • -> View More Comments
• dandroid@dandroid.app ⁨1⁩ ⁨year⁩ ago

  Seconding a reverse proxy. Once you have it set up, it’s trivial to add a subdomain, forward it to your internal port that your container is exposing, then use certbot or whatever to get a new certificate for that subdomain.

  I just use apache because I heavily use it for work, so I already know it well. But lots of people swear by nginx as well. There are lots of other options as well.

  source

  • lemmyvore@feddit.nl ⁨1⁩ ⁨year⁩ ago

    No need to get a certificate for ever subdomain, you can get a wildcard cert for *.your. domain.

    source

    • dandroid@dandroid.app ⁨1⁩ ⁨year⁩ ago

      True. I did that for one of my domains, but it was really quite annoying to do with certbot, as you needed some sort of plugin.

      source

      • -> View More Comments
  • klangcola@reddthat.com ⁨1⁩ ⁨year⁩ ago

    Thirding a reverse proxy. Probably Nginx Proxy Manager (NPM) is the easiest reverse proxy to get started with, if you don’t want to deal with plain nginx config files

    source
• Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨year⁩ ago

  Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

  Fewer Letters	More Letters
  DNS	Domain Name Service/System
  HTTP	Hypertext Transfer Protocol, the Web
  IP	Internet Protocol
  SSL	Secure Sockets Layer, for transparent encryption
  nginx	Popular HTTP server

  ---

  [Thread #129 for this sub, first seen 11th Sep 2023, 03:25] [FAQ] [Full list] [Contact] [Source code]

  source
• giddy@aussie.zone ⁨1⁩ ⁨year⁩ ago

  I use Nginx Proxy Manager to reverse proxy all my services including Vaultwarden -

  Setup in NPM -

  Open Nginx Proxy Manager Admin Portal
  Click Proxy Hosts
  Click Add Proxy Host
  Fill in the details
      Details tab
          Domain Names - vault.your.domain
          Scheme - http
          Forward Hostname/IP - vaultwarden (this should be the name of your vw container)
          Forward Port - 80
          Tick Block Common Exploits
          Tick Websockets Support
          Access List - Publicly Accessible
      Custom locations tab
          Add the following locations
              location 1
                  location - /notifications/hub
                  Scheme - http
                  Forward Hostname/IP - vaultwarden
                  Forward Port - 3012
                  Click the cog symbol and add the following to the textbox that appears
                      proxy_set_header Upgrade $http_upgrade;
                      proxy_set_header Connection "upgrade";
                      proxy_set_header X-Real-IP $remote_addr;
              location 2
                  location - /notifications/hub/negotiate
                  Scheme - http
                  Forward Hostname/IP - vaultwarden
                  Forward Port - 80
                  Click the cog symbol and add the following to the textbox that appears
                      proxy_set_header Host $host;
                      proxy_set_header X-Real-IP $remote_addr;
                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                      proxy_set_header X-Forwarded-Proto $scheme;
              location 3
                  location - /
                  Scheme - http
                  Forward Hostname/IP - vaultwarden
                  Forward Port - 80
                  Click the cog symbol and add the following to the textbox that appears
                      proxy_set_header Host $host;
                      proxy_set_header X-Real-IP $remote_addr;
                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                      proxy_set_header X-Forwarded-Proto $scheme;
      SSL tab
          SSL Certificate - Request a new SSL Certificate
          tick Use a DNS Challenge (or just expose port 80 if you accept the risk)
          DNS Provider - Dynu (this is my dyndns provider)
          Credentials File Content - replace YOUR_DYNU_AUTH_TOKEN with the API key from https://www.dynu.com/en-US/ControlPanel/APICredentials
          Email Address for Let's Encrypt - your email
          Tick I Agree to the Let's Encrypt Terms of Service
  Click Save
  Vaultwarden should now be accessible via https://vault.your.domain
  

  source

  • Lobotomie@lemmy.world ⁨1⁩ ⁨year⁩ ago

    Can I send you a pm regarding my progress so far? I’m kind off stuck at configuring everything:/

    source