mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-14 16:25:03 -05:00
77d9641323
Removed: `include conf.d/proxy-confs/proxy.conf;` lines because they're specific to user (shauder) and will break nginx if copy-pasted/don't exist. Changed: Moved listen value and server_name to top as is standard for nginx configs Changed: Commented out SSL config as it's specific to user (shauder) and will break if copy-pasted/don't exist. But is still useful and a good idea for simplifying nginx config. Changed: Rearranged location blocks because OCD. First /, then /notifications/hub, then /notifications/hub/negotiate because it looks nicer in a tree where each location grows.
95 lines
2.5 KiB
Markdown
95 lines
2.5 KiB
Markdown
# Proxy examples
|
|
|
|
In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
|
|
The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
|
|
|
|
When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
|
|
|
|
## Caddy
|
|
|
|
```nginx
|
|
localhost:443 {
|
|
# The negotiation endpoint is also proxied to Rocket
|
|
proxy /notifications/hub/negotiate <SERVER>:80 {
|
|
transparent
|
|
}
|
|
|
|
# Notifications redirected to the websockets server
|
|
proxy /notifications/hub <SERVER>:3012 {
|
|
websocket
|
|
}
|
|
|
|
# Proxy the Root directory to Rocket
|
|
proxy / <SERVER>:80 {
|
|
transparent
|
|
}
|
|
|
|
tls ${SSLCERTIFICATE} ${SSLKEY}
|
|
}
|
|
```
|
|
|
|
## Nginx (by shauder)
|
|
```nginx
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name vault.*;
|
|
|
|
# Specify SSL config if using a shared one.
|
|
#include conf.d/ssl/ssl.conf;
|
|
|
|
location / {
|
|
proxy_pass http://<SERVER>:80;
|
|
}
|
|
|
|
location /notifications/hub {
|
|
proxy_pass http://<SERVER>:3012;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
location /notifications/hub/negotiate {
|
|
proxy_pass http://<SERVER>:80;
|
|
}
|
|
}
|
|
```
|
|
|
|
## Apache (by fbartels)
|
|
```apache
|
|
<VirtualHost *:443>
|
|
SSLEngine on
|
|
ServerName bitwarden.$hostname.$domainname
|
|
|
|
SSLCertificateFile ${SSLCERTIFICATE}
|
|
SSLCertificateKeyFile ${SSLKEY}
|
|
SSLCACertificateFile ${SSLCA}
|
|
${SSLCHAIN}
|
|
|
|
ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
|
|
CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
|
|
|
|
RewriteEngine On
|
|
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
|
RewriteRule /(.*) ws://<SERVER>:3012/$1 [P,L]
|
|
|
|
ProxyPass / http://<SERVER>:80/
|
|
|
|
ProxyPreserveHost On
|
|
ProxyRequests Off
|
|
</VirtualHost>
|
|
```
|
|
|
|
## Traefik (docker-compose example)
|
|
```traefik
|
|
labels:
|
|
- 'traefik.frontend.rule=Host:vault.example.local'
|
|
- 'traefik.docker.network=traefik'
|
|
- 'traefik.port=80'
|
|
- 'traefik.enable=true'
|
|
- 'traefik.web.frontend.rule=Host:vault.example.local'
|
|
- 'traefik.web.port=80'
|
|
- 'traefik.hub.frontend.rule=Path:/notifications/hub'
|
|
- 'traefik.hub.port=3012'
|
|
- 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
|
|
- 'traefik.negotiate.port=80'
|
|
```
|