mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-21 01:12:28 -05:00
Include more proxy examples
This commit is contained in:
parent
928e2424c0
commit
9cdb605659
2 changed files with 82 additions and 21 deletions
80
PROXY.md
Normal file
80
PROXY.md
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
# Proxy examples
|
||||||
|
|
||||||
|
In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
|
||||||
|
The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.
|
||||||
|
|
||||||
|
When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.
|
||||||
|
|
||||||
|
## Caddy
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
localhost:443 {
|
||||||
|
# The negotiation endpoint is also proxied to Rocket
|
||||||
|
proxy /notifications/hub/negotiate <SERVER>:80 {
|
||||||
|
transparent
|
||||||
|
}
|
||||||
|
|
||||||
|
# Notifications redirected to the websockets server
|
||||||
|
proxy /notifications/hub <SERVER>:3012 {
|
||||||
|
websocket
|
||||||
|
}
|
||||||
|
|
||||||
|
# Proxy the Root directory to Rocket
|
||||||
|
proxy / <SERVER>:80 {
|
||||||
|
transparent
|
||||||
|
}
|
||||||
|
|
||||||
|
tls ${SSLCERTIFICATE} ${SSLKEY}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Nginx (by shauder)
|
||||||
|
```nginx
|
||||||
|
server {
|
||||||
|
include conf.d/ssl/ssl.conf;
|
||||||
|
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name vault.*;
|
||||||
|
|
||||||
|
location /notifications/hub/negotiate {
|
||||||
|
include conf.d/proxy-confs/proxy.conf;
|
||||||
|
proxy_pass http://<SERVER>:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
include conf.d/proxy-confs/proxy.conf;
|
||||||
|
proxy_pass http://<SERVER>:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /notifications/hub {
|
||||||
|
proxy_pass http://<SERVER>:3012/api/websocket;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Apache (by fbartels)
|
||||||
|
```apache
|
||||||
|
<VirtualHost *:443>
|
||||||
|
SSLEngine on
|
||||||
|
ServerName bitwarden.$hostname.$domainname
|
||||||
|
|
||||||
|
SSLCertificateFile ${SSLCERTIFICATE}
|
||||||
|
SSLCertificateKeyFile ${SSLKEY}
|
||||||
|
SSLCACertificateFile ${SSLCA}
|
||||||
|
${SSLCHAIN}
|
||||||
|
|
||||||
|
ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
|
||||||
|
CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined
|
||||||
|
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
||||||
|
RewriteRule /(.*) ws://<SERVER>:3012/$1 [P,L]
|
||||||
|
|
||||||
|
ProxyPass / http://<SERVER>:80/
|
||||||
|
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
</VirtualHost>
|
||||||
|
```
|
23
README.md
23
README.md
|
@ -184,26 +184,7 @@ To enable WebSockets notifications, an external reverse proxy is necessary, and
|
||||||
- Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`.
|
- Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`.
|
||||||
- If using Docker, you may need to map both ports with the `-p` flag
|
- If using Docker, you may need to map both ports with the `-p` flag
|
||||||
|
|
||||||
An example configuration is included next for a [Caddy](https://caddyserver.com/) proxy server, and assumes the proxy is running in the same computer as `bitwarden_rs`:
|
Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file.
|
||||||
|
|
||||||
```r
|
|
||||||
localhost:2015 {
|
|
||||||
# The negotiation endpoint is also proxied to Rocket
|
|
||||||
proxy /notifications/hub/negotiate 0.0.0.0:80 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
|
|
||||||
# Notifications redirected to the websockets server
|
|
||||||
proxy /notifications/hub 0.0.0.0:3012 {
|
|
||||||
websocket
|
|
||||||
}
|
|
||||||
|
|
||||||
# Proxy the Root directory to Rocket
|
|
||||||
proxy / 0.0.0.0:80 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port.
|
Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port.
|
||||||
|
|
||||||
|
@ -380,7 +361,7 @@ docker build -t bitwarden_rs .
|
||||||
|
|
||||||
## Building binary
|
## Building binary
|
||||||
|
|
||||||
For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md).
|
For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md).
|
||||||
|
|
||||||
## Available packages
|
## Available packages
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue