Hey beautiful vaultwarden people,
I finally got vaultwarden and all my other stuff running and finally understood enough docker, linux and such to keep me running.
My setup is running behind the caddy2 webserver and is reverse proxied to a cloudflare domain.
Since I let caddy handle everything I use Port 80 on the container which doesn’t provide me with HTTPS on my local network but on my public domain. Is there a way to set an exception to allow the webvault usage on HTTP? Right now my bitwarden browser extension is connected to that IP via HTTP and it’s working so why am I getting blocked at the webvault?
Web browsers block any javascript crypto API calls when not on HTTPS.
The only exception is for 127.0.0.1 or localhost.
There is nothing to do about that as far as i know, since that would be a security risk.
The only way would be to have you make your environment available via localhost in some way.
But, since you are using caddy, i would suggest to get a custom domain, or use a dynamic dns service and configure caddy to use LetsEncrypt to generate a certificate.
I have vaultwarden already running over the internet on a custom domain.
So I guess to make HTTPS working on my LAN I would need to provide the certificate on my own? I have a wildcard certificate from cloudflare that lasts like 10 years.
Now I’m not sure how I would configure the usage of a local certificate. Caddy does everything automatically via the cloudflare-dns plugin and I have everything on the cloudflare site running as grey cloud. If I change anything there or just change my apps to use port 443 instead of port 80 the apps won’t work.
In that case you probably want a split-dns or something.
That means, provide a different IP for your internal systems then on the Internet (outside of your lan). In that case you should be able to use the exact same certificate (if you are able to us that certificate offline, outside of cloudflare).
Else, i suggest to just always use the external domain.
Actually I was hoping for an easy solution because as of now I’m a bit scared about my backup situation in this case. What if my Internet connection or the domain for whatever reason won’t come back? I then sit on a working local instance but I won’t be able to extract the database because I can’t reach the webvault.
Well, you can always run a reverse proxy on your personal computer, and proxy it to your actual system.
That way you should be able to access it via localhost/127.0.0.1 and no https needed ;).
That is btw how i do my development mostly.
And sometimes i use a reverse ssh tunnel to my server so that i can access it via an actual domain with valid ssl certificate.
WOW. That actually was the easiest solution lol.
I have a desktop running on my server with a vnc so I just tried it in the browser and it works.
And the connection is actually tunneled through HTTPS. So it was just an layer 8 problem I guess.
