rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-25 03:09:20 -07:00
Code Issues Packages Projects Releases Wiki Activity

rewrite example for Caddy 2

Jeremy Lin
2021-03-10 19:53:23 -08:00
parent 9737560450
commit 6561531d83
1 changed files with 47 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
Using-Docker-Compose.md

@@ -1,71 +1,67 @@
Docker Compose is a tool that allows the definition and configuration of multi-container applications. In our case, we want both the Bitwarden_RS server and a proxy to redirect the WebSocket requests to the correct place. [Docker Compose](https://docs.docker.com/compose/) is a tool that allows the definition and configuration of multi-container applications. In our case, we want both the bitwarden_rs server and a proxy to redirect the WebSocket requests to the correct place.
This guide is based on [#126 (comment)](https://github.com/dani-garcia/bitwarden_rs/issues/126#issuecomment-417872681). Another solution, based on Bitwarden_RS and Caddy 2.0 is [available there](https://github.com/sosandroid/docker-bitwarden_rs-caddy-synology) This example assumes that you have [installed](https://docs.docker.com/compose/install/) Docker Compose, that you have a domain name (e.g., `bitwarden.example.com`) for your bitwarden_rs instance, and that it will be publicly accessible.
Create a `docker-compose.yml` file based on this: Start by making a new directory and changing into it. Next, create the `docker-compose.yml` below, making sure to substitute appropriate values for the `DOMAIN` and `EMAIL` variables.
```yml
# docker-compose.yml ```yaml
version: '3' version: '3'
services: services:
bitwarden: bitwarden:
image: bitwardenrs/server image: bitwardenrs/server:latest
container_name: bitwarden
restart: always restart: always
environment:
- WEBSOCKET_ENABLED=true # Enable WebSocket notifications.
volumes: volumes:
- ./bw-data:/data - ./bw-data:/data
environment:
WEBSOCKET_ENABLED: 'true' # Required to use websockets
SIGNUPS_ALLOWED: 'true' # set to false to disable signups
caddy: caddy:
image: abiosoft/caddy image: caddy:2
container_name: caddy
restart: always restart: always
volumes:
- ./Caddyfile:/etc/Caddyfile:ro
- caddycerts:/root/.caddy
ports: ports:
- 80:80 # needed for Let's Encrypt - 80:80 # Needed for the ACME HTTP-01 challenge.
- 443:443 - 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment: environment:
ACME_AGREE: 'true' # agree to Let's Encrypt Subscriber Agreement - DOMAIN=bitwarden.example.com # Your domain.
DOMAIN: 'bitwarden.example.org' # CHANGE THIS! Used for Auto Let's Encrypt SSL - EMAIL=admin@example.com # The email address to use for ACME registration.
EMAIL: 'bitwarden@example.org' # CHANGE THIS! Optional, provided to Let's Encrypt - LOG_FILE=/data/access.log
volumes:
caddycerts:
``` ```
and the corresponding `Caddyfile` (does not need to be modified): In the same directory, create the `Caddyfile` below. (This file does not need to be modified.)
```nginx ```
# Caddyfile {$DOMAIN}:443 {
{$DOMAIN} { log {
tls {$EMAIL} level INFO
output file {$LOG_FILE} {
header / { roll_size 10MB
# Enable HTTP Strict Transport Security (HSTS) roll_keep 10
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevent search engines from indexing (optional)
#X-Robots-Tag "none"
} }
}
# The negotiation endpoint is also proxied to Rocket # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
proxy /notifications/hub/negotiate bitwarden:80 { tls {$EMAIL}
transparent
}
# Notifications redirected to the websockets server # This setting may have compatibility issues with some browsers
proxy /notifications/hub bitwarden:3012 { # (e.g., attachment downloading on Firefox). Try disabling this
websocket # if you encounter issues.
} encode gzip
# Proxy the Root directory to Rocket # Notifications redirected to the WebSocket server
proxy / bitwarden:80 { reverse_proxy /notifications/hub bitwarden:3012
transparent
} # Proxy everything else to Rocket
reverse_proxy bitwarden:80 {
# Send the true remote IP to Rocket, so that bitwarden_rs can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
} }
``` ```
@@ -73,13 +69,15 @@ Run
```bash ```bash
docker-compose up -d docker-compose up -d
``` ```
to create & start the containers. It creates a private network between the two containers for the reverse proxy, only caddy is exposed to the outside. to create and start the containers. A private network for the services in this `docker-compose.yml` file will be created automatically, with only Caddy being publicly exposed.
```bash ```bash
docker-compose down docker-compose down
``` ```
stops and destroys the containers. stops and destroys the containers.
A similar Caddy-based example for Synology is available [here](https://github.com/sosandroid/docker-bitwarden_rs-caddy-synology).
If there's no need for websocket notifications, you can run Bitwarden_rs alone. Here's my example. Actually I'm running Bitwarden_rs on my Raspberry Pi and I'm using bitwardenrs/server image. If you want to do the same, remember to change it to the example. If there's no need for websocket notifications, you can run Bitwarden_rs alone. Here's my example. Actually I'm running Bitwarden_rs on my Raspberry Pi and I'm using bitwardenrs/server image. If you want to do the same, remember to change it to the example.
```yml ```yml
# docker-compose.yml # docker-compose.yml
@@ -87,7 +85,7 @@ version: '3'
services: services:
bitwarden: bitwarden:
image: bitwardenrs/server image: bitwardenrs/server:latest
restart: always restart: always
volumes: volumes:
- ./bw-data:/data - ./bw-data:/data