Can't access Vaultwarden behind traefik

Description: I tried to access vaultwarden behind my reverse proxy (Traefik) but it did not work and I kept getting an 404 page error when going to the domain. I opened port 8888 on my network and mapped it to port 80 on the container and I think I used the corret labels for vaultwarden.

I masked my actual domain with vault.example.com for security reasons.

I would like to also say that I used this guide as a template to build the docker-compose file.

Vaultwarden docker-compose file:

version: "3"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    hostname: vaultwarden
    restart: unless-stopped
    env_file: .env
    dns:
      - 1.1.1.1
    environment:
      - ADMIN_TOKEN=$ADMIN_TOKEN
      - SIGNUPS_ALLOWED=true
      - SIGNUPS_VERIFY=true
      - INVITATIONS_ALLOWED=true
      - LOG_FILE=/data/logs/access.log
      - WEBSOCKET_ENABLED=true
      - ROCKET_ENV=prod
      - ROCKET_WORKERS=10
      - LOG_LEVEL=error
      - EXTENDED_LOGGING=true
      - PUSH_ENABLED=true
      - PUSH_INSTALLATION_ID=$PUSH_INSTALLATION_ID
      - PUSH_INSTALLATION_KEY=$PUSH_INSTALLATION_KEY
    ports:
      - 8888:80
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.vaultwarden.rule=Host(`vault.example.com`)
      - traefik.http.routers.vaultwarden.service=vaultwarden
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
      - traefik.http.routers.vaultwarden-ws.rule=Host(`vault.example.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.vaultwarden-ws.service=vaultwarden-ws
      - traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012
      - traefik.http.routers.vaultwarden-admin.rule=Host(`vault.example.com`) && Path(`/admin`)
      - traefik.http.routers.vaultwarden-admin.service=vaultwarden
      - traefik.http.services.vaultwarden-admin.loadbalancer.server.port=80
      - traefik.http.routers.vaultwarden-admin.middlewares=authelia@docker

    volumes:
      - ./data:/data
      - ./logs:/data/logs

  vaultwarden-backup:
    image: bruceforce/vaultwarden-backup:latest
    container_name: vaultwarden-backup
    hostname: vaultwarden-backup
    restart: always
    init: true
    depends_on:
      - vaultwarden
    volumes:
      - ./data:/data/
      - ./backup:/myBackup
    #networks:
    #  - proxy
    environment:
      - TIMESTAMP=true
      - DELETE_AFTER=30
      - UID=0
      - GID=1000
      - TZ=Europe/London
      - BACKUP_DIR=/myBackup
      - CRON_TIME=00 5 * * *

networks:
  proxy:
    external: true

Hi mate, that won’t work. Exposing a port is useless as Traefik is going to handle all traffic.

You passed Port 80 to traefik. Now you’ll need to check what port is being exposed with traefik to the internet for accessing vaultwarden.

Yep, i have updated my docker-compose file to remove the part about ports. I tried to spin up vaultwarden and access it with my domain but that doesn’t work and leads to a 404 page not found.

Here is my updated docker-compose:

version: "3"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    hostname: vaultwarden
    restart: unless-stopped
    env_file: .env
    environment:
      - ADMIN_TOKEN=$ADMIN_TOKEN
      - SIGNUPS_ALLOWED=true
      - SIGNUPS_VERIFY=true
      - INVITATIONS_ALLOWED=true
      - LOG_FILE=/data/logs/access.log
      - ROCKET_ENV=prod
      - ROCKET_WORKERS=10
      - LOG_LEVEL=error
      - EXTENDED_LOGGING=true
      - PUSH_ENABLED=true
      - PUSH_INSTALLATION_ID=$PUSH_INSTALLATION_ID
      - PUSH_INSTALLATION_KEY=$PUSH_INSTALLATION_KEY
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      - "traefik.http.routers.vaultwarden-secure.rule=Host(`vault.example.com`)"
      - "traefik.http.routers.vaultwarden-secure.service=vaultwarden"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

      - "traefik.http.routers.vaultwarden-admin.rule=Host(`vault.example.com`) && Path(`/admin`)"
      - "traefik.http.routers.vaultwarden-admin.service=vaultwarden"
      - "traefik.http.services.vaultwarden-admin.loadbalancer.server.port=80"

      - "traefik.http.routers.vaultwarden-admin.middlewares=authelia@docker"
    volumes:
      - ./data:/data
      - ./logs:/data/logs

  vaultwarden-backup:
    image: bruceforce/vaultwarden-backup:latest
    container_name: vaultwarden-backup
    hostname: vaultwarden-backup
    restart: always
    init: true
    depends_on:
      - vaultwarden
    volumes:
      - ./data:/data/
      - ./backup:/myBackup
    networks:
      - proxy
    environment:
      - TIMESTAMP=true
      - DELETE_AFTER=30
      - UID=0
      - GID=1000
      - TZ=Europe/London
      - BACKUP_DIR=/myBackup
      - CRON_TIME=00 5 * * *

networks:
  proxy:
    external: true

Update: I have now got this fixed, i just had to add the domain the my authelia configuration and add 2 labels which were:

      - "traefik.http.routers.vaultwarden-secure.tls=true"
      - "traefik.http.routers.vaultwarden-secure.entrypoints=https"

I appreciate all the help, and thank you!

Do I need to add these two lines to the above? Or how should I understand this

Yep, you have to add those labels with the labels I posted above.

Thanks
Where can I get the admin token

ADMIN_TOKEN=$ADMIN_TOKEN

The admin token is not needed and is only used for enabling the admin page.

The documentation for it is here if you want to look at it: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page