Hello Friends,
I have a small ubuntu Server and I finally also want to transfer my Vaultwarden Instance to it. On this Server I have several services running (homeassistant, …) and Certbot via Dehydrated (right now I get a certificate for my duckdns address). In some directory I have the privkey and fullchain files.
Now my Problem is that when I start vaultwarden it wont load as https.
I believe, my Problem is telling Vaultwarden, where my certificate files are located so it can use them accordingly.
This is my Compose File right now:
vaultwarden:
container_name: vaultwarden
image: vaultwarden/server:latest
restart: unless-stopped
volumes:
- /home/vaultwarden:/data/
- /home/(directory to my certificates):/usr/share/ca-certificates/
ports:
- 8129:80
environment:
- DOMAIN=https://hurrdurr.duckdns.org
- LOGIN_RATELIMIT_MAX_BURST=10
- LOGIN_RATELIMIT_SECONDS=60
- ADMIN_RATELIMIT_MAX_BURST=10
- ADMIN_RATELIMIT_SECONDS=60
- ADMIN_TOKEN=token
- SENDS_ALLOWED=true
- EMERGENCY_ACCESS_ALLOWED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=true
The Volume Mapping to the certificates was just me trying it out so maybe its working if I map it like that.
If I open the 8129 in my Browser it will just time out. I also managed it to start but it wouldnt let me register as theres not https certificate.
Here’s the secret to stuff like this:
Run a single reverse proxy / edge router for all of your containerised services.
I recommend Traefik - https://gitlab.com/Matt.Jolly/traefik-grafana-prometheus-docker
You can configure services with labels attached to the container and (almost) never expose ports directly. It also lets you host an arbitrary number of services listening on 80/443.
An example config might look like this:
# docker-compose.yml version: '3.9' services: bitwarden: image: vaultwarden/server:latest restart: always volumes: - /data/vaultwarden/:/data environment: # - ADMIN_TOKEN= - WEBSOCKET_ENABLED=true networks: - proxy labels: - traefik.enable=true - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencrypt - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true - traefik.http.routers.bitwarden-ui-https.rule=Host(`my.domain.com`) - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure - traefik.http.routers.bitwarden-ui-https.tls=true - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui - traefik.http.routers.bitwarden-ui-http.rule=Host(`my.domain.com`) - traefik.http.routers.bitwarden-ui-http.entrypoints=web - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80 - traefik.http.routers.bitwarden-websocket-https.rule=Host(`my.domain.com) && Path(`/notifications/hub`) - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure - traefik.http.routers.bitwarden-websocket-https.tls=true - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket - traefik.http.routers.bitwarden-websocket-http.rule=Host(`my.domain.com`) && Path(`/notifications/hub`) - traefik.http.routers.bitwarden-websocket-http.entrypoints=web - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
Using traefik as your first reverse proxy might be a bit daunting. Caddy or “nginx reverse proxy” are much easier to configure.
If you want it beginner friendly, I can recommend nginx proxy Manager, which is basically a web ui frontend for nginx. This has its own drawbacks, but makes setup very uncomplicated.