Hello all,
I would like to ask for help with configuring Bitwarden_RS with HTTPS on an internal network (no external access) behind my router.
Here’s how I have it set up.
I have a Windows 10 Pro Machine which I am using as a server.
I have installed Docker CE, and that works.
That Windows 10 Pro machine has internet access outbound, but no inbound access. Meaning, when I run Bitwarden_RS on it, it is only accessible via my local network (192.168.x.x). That’s what I want it to do.
The goal is that Bitwarden_RS is used by myself, my wife, and my son, on our computers, and our phones. We used to use Keepass and loved it, but needed the ability to share passwords/entries. We would only add/edit entries while on our home network. If we have to take our laptops/phones outside (out of network), we will use the cached data in the apps.
I have tried a few things and came up with a very convoluted solution, but I think to myself, that this can’t be right. It’s just way to crazy.
Here’s my convoluted solution which temporarily works:
-
I used duckdns.org to register my home IP to a URL, so, like this: rick1.duckdns.org -> home IP (x.x.x.x).
-
I have a domain hosted on a webhost, so I created a CNAME to point to that duckdns, and thus the IP. so like this: bitwarden.rick1.org -> CNAME -> rick1.duckdns.org
-
I did port-forwarding temporarily on my router, ports 80 and 443 to my Windows 10 Server.
I ran docker-compose with this yml file:
# docker-compose.yml
version: ‘3’
services:
bitwarden:
image: bitwardenrs/server
environment:
DOMAIN: 'https://bitwarden.rick1.org'
WEBSOCKET_ENABLED: 'true' # Required to use websockets
SIGNUPS_ALLOWED: 'true' # set to false to disable signups
LOG_FILE: '/data/bitwarden.log'
ADMIN_TOKEN: some_random_token_as_per_above_explanation
restart: always
volumes:
- D:/DockerData/bitwardenrs/:/data/
caddy:
image: abiosoft/caddy
restart: always
volumes:
- D:/DockerData/Caddyfile:/etc/Caddyfile:ro
- D:/DockerData/caddycerts:/root/.caddy
ports:
- 80:80 # needed for Let's Encrypt
- 443:443
environment:
ACME_AGREE: 'true' # agree to Let's Encrypt Subscriber Agreement
DOMAIN: 'bitwarden.rick1.org' # CHANGE THIS! Used for Auto Let's Encrypt SSL
EMAIL: '<myEmail>' # CHANGE THIS! Optional, provided to Let's Encrypt
volumes:
caddycerts:
When Caddy runs, it generates the Let’s Encrypt certificates for future use, and that works.
Then, to clean up stuff, I have to shut off port forwarding on my router.
I then also change the CNAME entry to an A RECORD which is my internal Windows 10 IP, so like bitwarden.rick1.org --> 192.168.1.10
That way, when I point my browser & app to https://bitwarden.rick1.org, there is a valid certificate, and it points to my internal Windows 10 server.
Now, the question was, is there a much better and simpler way to do this? Because I have to then repeat a few steps every 2.5 months as I renew the SSL certificate.
Thank you.