ERR_CONNECTION_REFUSED when opening the web-page

Help
1

Hi everyone! I’ve deleted my previous topic, I have to run the command docker-compose up with -d argument, now docker-compose run smoothly, but when I try to reach the IP of the machine I’m getting ERR_CONNECTION_REFUSED instead of the vaultwarden sign-in page.

as I can notice, the caddy container does not start:

user@vaultwarden:/opt/vaultwarden$ docker ps
CONTAINER ID   IMAGE                       COMMAND                  CREATED         STATUS                            PORTS                                                                                NAMES
e94c5574873b   vaultwarden/server:latest   "/usr/bin/dumb-init …"   2 minutes ago   Up 2 minutes (health: starting)   80/tcp, 3012/tcp                                                                     vaultwarden
d071c404f99f   caddy:2                     "caddy run --config …"   2 minutes ago   Up 2 minutes                      0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 2019/tcp   caddy

here’s logs:

user@vaultwarden:/opt/vaultwarden$ docker logs caddy
{"level":"info","ts":1659356690.3819506,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1659356690.384069,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
{"level":"warn","ts":1659356690.3842514,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1659356690.3846161,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1659356690.3846753,"msg":"serving initial configuration"}
{"level":"info","ts":1659356690.384922,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0005b0ee0"}
{"level":"info","ts":1659356690.3850062,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1659356690.385043,"logger":"tls","msg":"finished cleaning storage units"}

here’s my docker-compose file:

version: '3'

services:
  bitwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - DOMAIN=https://vwardn.duckdns.org
      - SMTP_HOST=smtp.gmail.com
      - SMTP_FROM=*******@gmail.com
      - SMTP_PORT=465
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=******@gmail.com
      - SMTP_PASSWORD=******
      - ADMIN_TOKEN=********

    volumes:
      - ./bw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/opt/vaultwarden/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      - DOMAIN=https://vwardn.duckdns.org
      - EMAIL=******@gmail.com       # The email address to use for ACME registration.
      - LOG_FILE=/data/access.log
      - - DUCKDNS_TOKEN=***************************
      - SSL_CERT_PATH=/opt/vaultwarden/.lego/certificates/vwardn.duckdns.org.crt
      - SSL_KEY_PATH=/opt/vaultwarden/.lego/certificates/ vwardn.duckdns.org.key

and the Caddyfile

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Get a cert by using the ACME HTTP-01 challenge.
  tls {/opt/vaultwarden/.lego/certificates/vwardn.duckdns.org.crt} {/opt/vaultwarden/.lego/certificates/ vwardn.duckdns.org.key}

  encode gzip

  # Headers to improve security.
  header {
  # Enable HSTS
  Strict-Transport-Security "max-age=31536000;"

  # Enable cross-site filter (XSS)
  X-XSS-Protection "1; mode=block"

  # Disallow the site to be rendered within a frame (clickjacking protection)
  X-Frame-Options "DENY"

  # Prevent search engines from indexing
  X-Robots-Tag "none"

  # Remove Caddy branding
  -Server
  }

  # Redirect notifications to the WebSocket.
  reverse_proxy /notifications/hub vaultwarden:3012

  reverse_proxy localhost:80 {
       header_up X-Real-IP {remote_host}
  }
}
2

I’m not specifically familiar with Caddy, but I see a few potential issues:

  1. Space in the path in front of the key filename in two places
  2. Extra level indent on DUCKDNS_TOKEN “- -”
  3. The reverse proxy entry for port 80 should probably be vaultwarden:80 - the other container, not localhost.
  4. I think your {$DOMAIN} needs to be just the fqdn, not the https:// url in the caddy config
3

I am seeing the same issue. Followed all the instructions here but with no luck:

All of these layers of obfuscation (Docker, Caddy, etc.) just make running Vaultwarden unnecessarily complicated and fragile. Is there a way to just run Vaultwarden without all of these extra layers?

4

I realized that my Eero router is not correctly forwarding ports 80 and 443. Once I picked a different external port (i.e. 4443), then everything started working just fine. I have a ticket opened with Eero support about this.