Spyke
selfhosted·SelfhostedbyLobotomie

Vaultwarden using Docker Compose with existing Certificates

Hello Friends,

I have a small ubuntu Server and I finally also want to transfer my Vaultwarden Instance to it. On this Server I have several services running (homeassistant, ...) and Certbot via Dehydrated (right now I get a certificate for my duckdns address). In some directory I have the privkey and fullchain files.

Now my Problem is that when I start vaultwarden it wont load as https.

I believe, my Problem is telling Vaultwarden, where my certificate files are located so it can use them accordingly.

This is my Compose File right now:

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /home/vaultwarden:/data/
      - /home/(directory to my certificates):/usr/share/ca-certificates/
    ports:
      - 8129:80
    environment:
      - DOMAIN=https://hurrdurr.duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN=token
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

The Volume Mapping to the certificates was just me trying it out so maybe its working if I map it like that.

If I open the 8129 in my Browser it will just time out. I also managed it to start but it wouldnt let me register as theres not https certificate.

View original on lemmy.world
24
Comments17
Dandroid
dandroid.app

Seconding a reverse proxy. Once you have it set up, it's trivial to add a subdomain, forward it to your internal port that your container is exposing, then use certbot or whatever to get a new certificate for that subdomain.

I just use apache because I heavily use it for work, so I already know it well. But lots of people swear by nginx as well. There are lots of other options as well.

6
lemmyvorereply
feddit.nl

No need to get a certificate for ever subdomain, you can get a wildcard cert for *.your. domain.

3
Dandroidreply
dandroid.app

True. I did that for one of my domains, but it was really quite annoying to do with certbot, as you needed some sort of plugin.

1
Kangiereply
lemmy.srcfiles.zip

It's fine with Let'sEncrypt via the DNS01 challenge; my lab typically only uses one wildcard certificate for all the services there unless I have a specific need to generate an indovidual cert for a service.

1
klangcolareply
reddthat.com

Thirding a reverse proxy. Probably Nginx Proxy Manager (NPM) is the easiest reverse proxy to get started with, if you don't want to deal with plain nginx config files

1
Kangie
lemmy.srcfiles.zip

Here's the secret to stuff like this:

Run a single reverse proxy / edge router for all of your containerised services.

I recommend Traefik - https://gitlab.com/Matt.Jolly/traefik-grafana-prometheus-docker

You can configure services with labels attached to the container and (almost) never expose ports directly. It also lets you host an arbitrary number of services listening on 80/443.

An example config might look like this:

# docker-compose.yml
version: '3.9'

services:
  bitwarden:
    image: vaultwarden/server:latest
    restart: always
    volumes:
      - /data/vaultwarden/:/data
    environment:
#      - ADMIN_TOKEN=
      - WEBSOCKET_ENABLED=true
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencrypt
      - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
      - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
      - traefik.http.routers.bitwarden-ui-https.rule=Host(`my.domain.com`)
      - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-ui-https.tls=true
      - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
      - traefik.http.routers.bitwarden-ui-http.rule=Host(`my.domain.com`)
      - traefik.http.routers.bitwarden-ui-http.entrypoints=web
      - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
      - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
      - traefik.http.routers.bitwarden-websocket-https.rule=Host(`my.domain.com) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-websocket-https.tls=true
      - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
      - traefik.http.routers.bitwarden-websocket-http.rule=Host(`my.domain.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
      - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
      - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
6
emhlreply
feddit.de

Using traefik as your first reverse proxy might be a bit daunting. Caddy or "nginx reverse proxy" are much easier to configure.

5
7Sea_Sailorreply
lemmy.dbzer0.com

If you want it beginner friendly, I can recommend nginx proxy Manager, which is basically a web ui frontend for nginx. This has its own drawbacks, but makes setup very uncomplicated.

4
子犬ですreply
lemmy.world

I agree, very beginner friendly. But also, it's what most people are gonna need.

I actually started with Traefik because I didn't know any better, and I kinda wanna go back to be honest because with Traefik I was able to configure a Minecraft server, without having to expose the port. But not with NGINX Proxy Manager.l, since it only does http and shit. But I REALLY like being able to do everything via a webUI since I only have a phone to manage my server .

So, I find myself stuck between functionality and ease of use. :(

1
Kangiereply
lemmy.srcfiles.zip

At the end of the day Traefik isn't that hard, especially if you know the core concepts; if you know both and have a need for Traefik I'd just use that everywhere.

1
lemmyvorereply
feddit.nl

Nginx Proxy Manager can do stream hosts, which are encrypted tunnels where you can put any kind of traffic not just HTTP.

1
子犬ですreply
lemmy.world

I've tried, but I wasn't able to get it working. I'll look into it again though, cuz I'd love to do it all through NPM.

1
7Sea_Sailorreply
lemmy.dbzer0.com

You should look into NPM Streams, they're built exactly for this purpose. It's included by default, just another type of host.

1
子犬ですreply
lemmy.world

I've tried, but I wasn't able to get it working. I'll look into it again though, cuz I'd love to do it all through NPM.

1
Decronym
lemmy.decronym.xyz

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer LettersMore Letters
DNSDomain Name Service/System
HTTPHypertext Transfer Protocol, the Web
IPInternet Protocol
SSLSecure Sockets Layer, for transparent encryption
nginxPopular HTTP server

5 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

[Thread #129 for this sub, first seen 11th Sep 2023, 03:25] [FAQ] [Full list] [Contact] [Source code]

1
Giddy
aussie.zone

I use Nginx Proxy Manager to reverse proxy all my services including Vaultwarden -

Setup in NPM -

Open Nginx Proxy Manager Admin Portal
Click Proxy Hosts
Click Add Proxy Host
Fill in the details
    Details tab
        Domain Names - vault.your.domain
        Scheme - http
        Forward Hostname/IP - vaultwarden (this should be the name of your vw container)
        Forward Port - 80
        Tick Block Common Exploits
        Tick Websockets Support
        Access List - Publicly Accessible
    Custom locations tab
        Add the following locations
            location 1
                location - /notifications/hub
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 3012
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header X-Real-IP $remote_addr;
            location 2
                location - /notifications/hub/negotiate
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 80
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
            location 3
                location - /
                Scheme - http
                Forward Hostname/IP - vaultwarden
                Forward Port - 80
                Click the cog symbol and add the following to the textbox that appears
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
    SSL tab
        SSL Certificate - Request a new SSL Certificate
        tick Use a DNS Challenge (or just expose port 80 if you accept the risk)
        DNS Provider - Dynu (this is my dyndns provider)
        Credentials File Content - replace YOUR_DYNU_AUTH_TOKEN with the API key from https://www.dynu.com/en-US/ControlPanel/APICredentials
        Email Address for Let's Encrypt - your email
        Tick I Agree to the Let's Encrypt Terms of Service
Click Save
Vaultwarden should now be accessible via https://vault.your.domain
1
Lobotomiereply
lemmy.world

Can I send you a pm regarding my progress so far? I'm kind off stuck at configuring everything:/

1

You reached the end