Toucan-Sam 77d9641323
Update PROXY.md
Removed: `include conf.d/proxy-confs/proxy.conf;` lines because they're specific to user (shauder) and will break nginx if copy-pasted/don't exist.
Changed: Moved listen value and server_name to top as is standard for nginx configs
Changed: Commented out SSL config as it's specific to user (shauder) and will break if copy-pasted/don't exist. But is still useful and a good idea for simplifying nginx config.
Changed: Rearranged location blocks because OCD. First /, then /notifications/hub, then /notifications/hub/negotiate because it looks nicer in a tree where each location grows.
2018-10-25 19:45:22 +13:00

2.5 KiB

Proxy examples

In this document, <SERVER> refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use localhost. The ports proxied by default are 80 for the web server and 3012 for the WebSocket server. The proxies are configured to listen in port 443 with HTTPS enabled, which is recommended.

When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.

Caddy

localhost:443 {
    # The negotiation endpoint is also proxied to Rocket
    proxy /notifications/hub/negotiate <SERVER>:80 {
        transparent
    }
    
    # Notifications redirected to the websockets server
    proxy /notifications/hub <SERVER>:3012 {
        websocket
    }
    
    # Proxy the Root directory to Rocket
    proxy / <SERVER>:80 {
        transparent
    }

    tls ${SSLCERTIFICATE} ${SSLKEY}
}

Nginx (by shauder)

server {
  listen 443 ssl http2;
  server_name vault.*;
  
  # Specify SSL config if using a shared one.
  #include conf.d/ssl/ssl.conf;
  
  location / {
    proxy_pass http://<SERVER>:80;
  }
  
  location /notifications/hub {
    proxy_pass http://<SERVER>:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://<SERVER>:80;
  }
}

Apache (by fbartels)

<VirtualHost *:443>
    SSLEngine on
    ServerName bitwarden.$hostname.$domainname

    SSLCertificateFile ${SSLCERTIFICATE}
    SSLCertificateKeyFile ${SSLKEY}
    SSLCACertificateFile ${SSLCA}
    ${SSLCHAIN}

    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]

    ProxyPass / http://<SERVER>:80/

    ProxyPreserveHost On
    ProxyRequests Off
</VirtualHost>

Traefik (docker-compose example)

    labels:
      - 'traefik.frontend.rule=Host:vault.example.local'
      - 'traefik.docker.network=traefik'
      - 'traefik.port=80'
      - 'traefik.enable=true'
      - 'traefik.web.frontend.rule=Host:vault.example.local'
      - 'traefik.web.port=80'
      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
      - 'traefik.hub.port=3012'
      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
      - 'traefik.negotiate.port=80'