Blank page after setting up Vaultwarden

Help
1

Hey there

Selfhoster here running Ubuntu 20.04.4 LTS.
Cloudflare with a custom domain
Running it privately (not published to the internet) for now…
Trying to deploy everything via 1 docker compose file (docker stack deploy -c deploy.yml vaultwarden):

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
    volumes:
      - /EVO500/AppsConfig/vaultwarden/vaultwarden_data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - /EVO500/AppsConfig/vaultwarden/caddy_custombuildwithdns:/usr/bin/caddy
      - /EVO500/AppsConfig/vaultwarden/caddy_data/Caddyfile:/etc/caddy/Caddyfile:ro
      - /EVO500/AppsConfig/vaultwarden/caddy_data/config:/config
      - /EVO500/AppsConfig/vaultwarden/caddy_data/data:/data
    environment:
      - DOMAIN=https://vault.mydomain.be  # Your domain.
      - EMAIL=hahalolno@gmail.com                 # The email address to use for ACME registration.
      - LOG_FILE=/data/access.log
      - DOMAIN=vault.mydomain.be
      - CLOUDFLARE_API_TOKEN=yeahright:)
  cloudflare-ddns:
     image: oznu/cloudflare-ddns:latest
     restart: always
     environment:
       - API_KEY=yeahright:)
       - ZONE=mydomain.be
       - SUBDOMAIN=vault
       - PROXIED=false

The containers are coming up fine and when I browse to vault.mydomain.be I am greeted with a secured page but it’s blank.

Let’s Encrypt seems to work, I can see validation records getting created in the audit log on Cloudflare.

In the logging of the container for Caddy I am seeing:

{"level":"info","ts":1646427844.1201797,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1646427844.1224928,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1646427844.123523,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1646427844.1237297,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1646427844.123745,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1646427844.124155,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["vault.mydomain.be"]}
{"level":"info","ts":1646427844.124939,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1646427844.1249516,"msg":"serving initial configuration"}
{"level":"info","ts":1646427844.1250691,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1646427844.1257076,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1646427844.125778,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000498690"}
{"level":"error","ts":1646427959.4079003,"logger":"http.log.error","msg":"dial tcp 127.0.0.1:8080: connect: connection refused","request":{"remote_addr":"10.0.0.2:53439","proto":"HTTP/2.0","method":"GET","host":"vault.mydomain.be","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"Sec-Gpc":["1"],"Cache-Control":["max-age=0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Dnt":["1"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"vault.mydomain.be"}},"duration":0.001146728,"status":502,"err_id":"7nejawrra","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"}{"level":"info","ts":1646427844.1201797,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1646427844.1224928,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1646427844.123523,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1646427844.1237297,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1646427844.123745,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1646427844.124155,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["vault.mydomain.be"]}
{"level":"info","ts":1646427844.124939,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1646427844.1249516,"msg":"serving initial configuration"}
{"level":"info","ts":1646427844.1250691,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1646427844.1257076,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1646427844.125778,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000498690"}
{"level":"error","ts":1646427959.4079003,"logger":"http.log.error","msg":"dial tcp 127.0.0.1:8080: connect: connection refused","request":{"remote_addr":"10.0.0.2:53439","proto":"HTTP/2.0","method":"GET","host":"vault.mydomain.be","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"Sec-Gpc":["1"],"Cache-Control":["max-age=0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Dnt":["1"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"vault.mydomain.be"}},"duration":0.001146728,"status":502,"err_id":"7nejawrra","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"}
2

The error message in the logs point to a proxy misconfiguration:

dial tcp 127.0.0.1:8080: connect: connection refused

What runs on 127.0.0.1:8080? The relevant ports for the vaultwarden container should be 80 for http requests and 3012 for thr websockets if you have not changed anything. According to the wiki your Caddyfile should contain something like this:

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:80