Vaultwarden and Nginx Proxy Manager

hello everyone.
same issue here.
I can access Vaultwarden in my local network,
but can not access it with Nginx reverse proxy manager.
although all the configuration seems to be ok like my other docker instances.

Here is link of discription of the problem in Guthub discussions.

  location /admin {
  	return 404;
  }

  location / {
    proxy_pass http://10.10.10.1:8097;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://10.10.10.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://10.10.10.1:8097;
  }

How do you deny new users I cant see it in the settings?

You find this at the Vaultwarden Admin Page

I’m not sure how you’re accessing your Vaultwarden, but one of the most hardened steps is not to expose it to the greater web at all – which means hide it behind a VPN. Wireguard and OpenVPN server/client packages are readily available both for desktop and mobile devices and are not that difficult to actually setup. Wireguard very easy to use . This may be something you could consider. I’ve done it and its really smooth. Wireguard client on iOS works easy and for the most part pretty easy to config.

I just got nginx proxy manager to work but thinking about security I’d prefer a solution using VPN when connecting via Internet.
Could you give me/us some hints where to find adequate information on how to set up VPN on a docker container behind the internet-router granting secure access for mobile devices outside my home-wlan/lan as well as on the mobile device itself?

Thanks a lot.

I’m not sure I can point you two a specific source however I think setting up wireguard would be my first choice and my second would be openvpn. Both have mobile clients so you’ll be good on that end. In terms of docker…yikes not exactly sure although I’m aware their are images. I’ve installed openvpn at the router level via pfsense although I’m probably certain you could do the same on the docker host via either native package or docker image. Its probably going to perform better if using kernel level wireguard than user space.

Thanks for your lightning fast reply.

I’m feeling some kind of paranoid because using my own local vault with a strong masterpassword should be a lot more secure than using a Bitwarden vault in their cloud.
But on the other hand I want to store some passwords in Vaultwarden for which I actually use KeePass but only in my local network.
I did some testing with Bitwarden and like the possibilty to share some (not all) passwords with my wife and son which isn’t possible with KeePass.

I just set up Vaultwarden and Nginx Proxy Manager as two separate Docker containers on my Unraid server earlier this week. I am able to access my vault via HTTPS and my domain name. However, I noticed that it does not work when I have “Force SSL” enabled for my Let’s Encrypt cert. I’m basically using the same custom Nginx configuration that @shahin posted (with the IP’s and Ports swapped with my own).

location /admin {
  return 404;
  }

  location / {
    proxy_pass http://172.28.0.69:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://172.28.0.69:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://172.28.0.69:80;
  }

This is what happens when “Force SSL” is enabled:

Ok. I figured it out. The issue was in my configuration on Cloudflare (where my domain is hosted). I had to adjust the SSL settings (including HSTS), download the “Origin Server” cert, and import it into Nginx. From there, I just changed the proxy host in Nginx to use the new cert and was able to enable all of the options below it.

Hello.
I made the same configuration and I am getting the following message

error776×587 16.7 KB

“The website you are accessing is misleading”

Best regards

Hey Guys,

can someone please help me?
Im running homeassistant on 8123 and I want to run vaultwarden on 8124 and 8125 (notification)

If I open the website it says “SSL_ERROR_RX_RECORD_TOO_LONG”

Following Docker Config:

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /""/vaultwarden:/data/
    ports:
      - 8125:3012
      - 8124:80
    environment:
      - DOMAIN=https://"".duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN="token"
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

  nginx-proxy-manager:
    container_name: nginx
    privileged: true
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "nginx-db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: ""
      DB_MYSQL_PASSWORD: ""
      DB_MYSQL_NAME: ""
    volumes:
      - /""/nginx/data:/data
      - /""/nginx/letsencrypt:/etc/letsencrypt
      - /""/nginx/config:/etc/nginx

  nginx-db:
    container_name: nginx-db
    image: 'jc21/mariadb-aria:latest'
    environment:
      MYSQL_ROOT_PASSWORD: ''
      MYSQL_DATABASE: ''
      MYSQL_USER: ''
      MYSQL_PASSWORD: ''
    volumes:
      - /""/nginx/mysql:/var/lib/mysql

My Homeassistant Config works this way (also via Docker).

Following NGINX Setup:

grafik1183×573 62 KB

Im using the SSL Certificate from my Homeassistant Duckdns I just change the port from 8124 to 8125, is that okay?

Advanced:

location /admin {
  return 404;
  }

  location / {
    proxy_pass http://vaultwarden:8124;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://vaultwarden:8125;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://vaultwarden:8124;
  }

okay I just fixed this by making basically vaultwarden.xxx.duckdns.org as my url and set ssl up with a new certificate but without a dns challenge.

Hey Luki, perhaps you can help me here!?