I’m currently trying to setup Bitwarden. I’m using Caddy 2.0 as a reverse proxy from a domain I bought and thus used the docker-compose file Caddyfile from GitHub - sosandroid/docker-bitwarden_rs-caddy-synology: Docker compose for Bitwarden_rs with Caddy on Synology as a basis. However, the guide there seems to be a bit outdated so now I’m not sure how to proceed.
I’ve got bitwarden working in so far that when I go to <my.domain.tld>, I get redirected to a page that says “Bitwarden” in plain text and nothing else.
I’ve looked at a few different guides on how to create the initial account. Most of them tell me to define a different port in the docker-compose.yml first and sign up via the local IP and port. However, when I try to do this, no matter the browser, I get various errors when pressing the “Submit” button on the register page that indicate that I’d have to use HTTPS. However, for this I’d need my reverse proxy with Caddy from which I can’t access the login/signup page.
I’ve also tried enabling the admin page to send myself an invitation from there but am quite honestly lost with how to set up the SMTP. I’d probably have to send it from my own email address?
I’m not even sure if the bitwarden page after the reverse proxy should even only say “Bitwarden”.
I’d appreciate some guidance on how to proceed. Below you can find my docker-compose.yml and Caddyfile.
Thanks in advance.
docker-compose.yml:
bitwarden:
image: bitwardenrs/server
container_name: bitwarden
restart: always
#ports: # Only had this active when trying to connect directly without Caddy
# - 60888:80
volumes:
- ~/volumes/bitwarden/data:/data
environment:
# Timezone settings, important for Fail2ban to work
- TZ=Europe/Berlin
# Logging connection attemps
# - LOG_FILE=/data/bitwarden.log
- EXTENDED_LOGGING='true'
- LOG_LEVEL=warn
# Beef up a bit
- ROCKET_WORKERS=20
- WEBSOCKET_ENABLED='true'
# Hardening a bit
- SIGNUPS_ALLOWED='true'
#- DISABLE_ADMIN_TOKEN='true'
- ADMIN_TOKEN=[TOKEN]
#- SHOW_PASSWORD_HINT='false'
#- DISABLE_ICON_DOWNLOAD='true'
caddy:
image: caddy
container_name: caddy
restart: always
ports:
- 8080:80
- 8443:443
volumes:
- ~/Caddyfile:/etc/caddy/Caddyfile
- ~/site:/srv
- ~/volumes/caddy/data:/data
- ~/volumes/caddy/config:/config
environment:
- ACME_AGREE='true'
Caddyfile:
my.domain.tld {
encode zstd gzip
header / {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevent search engines from indexing
X-Robots-Tag "none"
}
reverse_proxy /notifications/hub/negotiate bitwarden:80
reverse_proxy /notifications/hub bitwarden:3012
reverse_proxy / bitwarden:80
}