Table of Contents
Traditionally, Vaultwarden is limited to residing at the root of a subdomain, e.g. https://vaultwarden.example.com
.
This limitation originates in the backend and web vault, which haven't been designed to accommodate alternate base dirs (see bitwarden/server#277). The mobile/desktop apps and browser extensions actually have no issues using a base URL with a path.
In vaultwarden, with the changes in PR#868 (backend) and PR#11 (web vault), you can configure a fully functional instance at an alternate base dir.
Configuration
Simply configure your domain URL to include the base dir. For example, suppose you want to access your instance at https://vaultwarden.example.com/base-dir
. (Note that you can also use multiple levels of directories, like https://vaultwarden.example.com/multi/level/base/dir
if you want.)
-
Stop vaultwarden.
-
If you normally configure vaultwarden using the admin page, edit your
config.json
to look as follows:{ "domain": "https://vaultwarden.example.com/base-dir", // ... other values ... }
-
If you normally configure vaultwarden via environment variables, update your config files/scripts to set the
DOMAIN
environment variable to the base URL. For example:docker run -e DOMAIN="https://vaultwarden.example.com/base-dir" ...
-
Restart vaultwarden.
-
You should now be able to access the web vault at
https://vaultwarden.example.com/base-dir/
(note the trailing slash). For reasons not entirely clear, you'll probably run into issues if you usehttps://vaultwarden.example.com/base-dir
(without the trailing slash). -
Configure your apps or browser extensions to use
https://vaultwarden.example.com/base-dir
. If you add a trailing slash, the apps and extensions will automatically remove it before saving. -
Note over 5. The trailing slash
/
issue could be solved by appending/
after the route location string. For example, in nginx.location /my-base-path { # This config would cause `/` issue } location /my-base-path-2/ { # This config works perfectly }
Reverse proxying
If you are putting vaultwarden behind a reverse proxy, make sure your proxy is configured to pass the request path through to vaultwarden, since the vaultwarden API routes are set up to expect the base dir. So if a request for https://vaultwarden.example.com/base-dir/api/sync
hits your reverse proxy, which then proxies to your vaultwarden listening on localhost:8080
, the request must go to http://localhost:8080/base-dir/api/sync
, not http://localhost:8080/api/sync
.
FAQs
Container Image Usage
- Which container image to use
- Starting a container
- Updating the vaultwarden image
- Using Docker Compose
- Using Podman
Deployment
- Building your own docker image
- Building binary
- Pre-built binaries
- Third-party packages
- Deployment examples
- Proxy examples
- Logrotate example
HTTPS
Configuration
- Overview
- Disable registration of new users
- Disable invitations
- Enabling admin page
- Disable the admin token
- Enabling WebSocket notifications
- Enabling Mobile Client push notification
- Enabling U2F and FIDO2 WebAuthn authentication
- Enabling YubiKey OTP authentication
- Changing persistent data location
- Changing the API request size limit
- Changing the number of workers
- SMTP configuration
- Translating the email templates
- Password hint display
- Disabling or overriding the Vault interface hosting
- Logging
- Creating a systemd service
- Syncing users from LDAP
- Using an alternate base dir (subdir/subpath)
- Other configuration
Database
- Using the MariaDB (MySQL) Backend
- Using the PostgreSQL Backend
- Running without WAL enabled
- Migrating from MariaDB (MySQL) to SQLite