mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Include more proxy examples
This commit is contained in:
		
							
								
								
									
										80
									
								
								PROXY.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								PROXY.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,80 @@ | |||||||
|  | # Proxy examples | ||||||
|  |  | ||||||
|  | In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`. | ||||||
|  | The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended. | ||||||
|  |  | ||||||
|  | When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured. | ||||||
|  |  | ||||||
|  | ## Caddy | ||||||
|  |  | ||||||
|  | ```nginx | ||||||
|  | localhost:443 { | ||||||
|  |     # The negotiation endpoint is also proxied to Rocket | ||||||
|  |     proxy /notifications/hub/negotiate <SERVER>:80 { | ||||||
|  |         transparent | ||||||
|  |     } | ||||||
|  |      | ||||||
|  |     # Notifications redirected to the websockets server | ||||||
|  |     proxy /notifications/hub <SERVER>:3012 { | ||||||
|  |         websocket | ||||||
|  |     } | ||||||
|  |      | ||||||
|  |     # Proxy the Root directory to Rocket | ||||||
|  |     proxy / <SERVER>:80 { | ||||||
|  |         transparent | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     tls ${SSLCERTIFICATE} ${SSLKEY} | ||||||
|  | } | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ## Nginx (by shauder) | ||||||
|  | ```nginx | ||||||
|  | server { | ||||||
|  |   include conf.d/ssl/ssl.conf; | ||||||
|  |  | ||||||
|  |   listen 443 ssl http2; | ||||||
|  |   server_name vault.*; | ||||||
|  |  | ||||||
|  |   location /notifications/hub/negotiate { | ||||||
|  |     include conf.d/proxy-confs/proxy.conf; | ||||||
|  |     proxy_pass http://<SERVER>:80; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   location / { | ||||||
|  |     include conf.d/proxy-confs/proxy.conf; | ||||||
|  |     proxy_pass http://<SERVER>:80; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   location /notifications/hub { | ||||||
|  |     proxy_pass http://<SERVER>:3012/api/websocket; | ||||||
|  |     proxy_set_header Upgrade $http_upgrade; | ||||||
|  |     proxy_set_header Connection "upgrade"; | ||||||
|  |   } | ||||||
|  | } | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ## Apache (by fbartels) | ||||||
|  | ```apache | ||||||
|  | <VirtualHost *:443> | ||||||
|  |     SSLEngine on | ||||||
|  |     ServerName bitwarden.$hostname.$domainname | ||||||
|  |  | ||||||
|  |     SSLCertificateFile ${SSLCERTIFICATE} | ||||||
|  |     SSLCertificateKeyFile ${SSLKEY} | ||||||
|  |     SSLCACertificateFile ${SSLCA} | ||||||
|  |     ${SSLCHAIN} | ||||||
|  |  | ||||||
|  |     ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log | ||||||
|  |     CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined | ||||||
|  |  | ||||||
|  |     RewriteEngine On | ||||||
|  |     RewriteCond %{HTTP:Upgrade} =websocket [NC] | ||||||
|  |     RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L] | ||||||
|  |  | ||||||
|  |     ProxyPass / http://<SERVER>:80/ | ||||||
|  |  | ||||||
|  |     ProxyPreserveHost On | ||||||
|  |     ProxyRequests Off | ||||||
|  | </VirtualHost> | ||||||
|  | ``` | ||||||
							
								
								
									
										23
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										23
									
								
								README.md
									
									
									
									
									
								
							| @@ -184,26 +184,7 @@ To enable WebSockets notifications, an external reverse proxy is necessary, and | |||||||
| - Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`. | - Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`. | ||||||
| - If using Docker, you may need to map both ports with the `-p` flag | - If using Docker, you may need to map both ports with the `-p` flag | ||||||
|  |  | ||||||
| An example configuration is included next for a [Caddy](https://caddyserver.com/) proxy server, and assumes the proxy is running in the same computer as `bitwarden_rs`: | Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file. | ||||||
|  |  | ||||||
| ```r |  | ||||||
| localhost:2015 { |  | ||||||
|     # The negotiation endpoint is also proxied to Rocket |  | ||||||
|     proxy /notifications/hub/negotiate 0.0.0.0:80 { |  | ||||||
|         transparent |  | ||||||
|     } |  | ||||||
|      |  | ||||||
|     # Notifications redirected to the websockets server |  | ||||||
|     proxy /notifications/hub 0.0.0.0:3012 { |  | ||||||
|         websocket |  | ||||||
|     } |  | ||||||
|      |  | ||||||
|     # Proxy the Root directory to Rocket |  | ||||||
|     proxy / 0.0.0.0:80 { |  | ||||||
|         transparent |  | ||||||
|     } |  | ||||||
| } |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port. | Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port. | ||||||
|  |  | ||||||
| @@ -380,7 +361,7 @@ docker build -t bitwarden_rs . | |||||||
|  |  | ||||||
| ## Building binary | ## Building binary | ||||||
|  |  | ||||||
| For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md). | For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md). | ||||||
|  |  | ||||||
| ## Available packages | ## Available packages | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user