vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

commit 9cdb605659f557ecfd5a90e00154fb0b58c8ec9b
parent 928e2424c0bfa00bee5d392609a27cb4d08cdf27
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Thu, 13 Sep 2018 17:08:16 +0200

Include more proxy examples

Diffstat:
APROXY.md | 81+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MREADME.md | 23++---------------------
2 files changed, 83 insertions(+), 21 deletions(-)

diff --git a/PROXY.md b/PROXY.md @@ -0,0 +1,80 @@ +# Proxy examples + +In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`. +The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended. + +When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured. + +## Caddy + +```nginx +localhost:443 { + # The negotiation endpoint is also proxied to Rocket + proxy /notifications/hub/negotiate <SERVER>:80 { + transparent + } + + # Notifications redirected to the websockets server + proxy /notifications/hub <SERVER>:3012 { + websocket + } + + # Proxy the Root directory to Rocket + proxy / <SERVER>:80 { + transparent + } + + tls ${SSLCERTIFICATE} ${SSLKEY} +} +``` + +## Nginx (by shauder) +```nginx +server { + include conf.d/ssl/ssl.conf; + + listen 443 ssl http2; + server_name vault.*; + + location /notifications/hub/negotiate { + include conf.d/proxy-confs/proxy.conf; + proxy_pass http://<SERVER>:80; + } + + location / { + include conf.d/proxy-confs/proxy.conf; + proxy_pass http://<SERVER>:80; + } + + location /notifications/hub { + proxy_pass http://<SERVER>:3012/api/websocket; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +``` + +## Apache (by fbartels) +```apache +<VirtualHost *:443> + SSLEngine on + ServerName bitwarden.$hostname.$domainname + + SSLCertificateFile ${SSLCERTIFICATE} + SSLCertificateKeyFile ${SSLKEY} + SSLCACertificateFile ${SSLCA} + ${SSLCHAIN} + + ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log + CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://<SERVER>:3012/$1 [P,L] + + ProxyPass / http://<SERVER>:80/ + + ProxyPreserveHost On + ProxyRequests Off +</VirtualHost> +``` +\ No newline at end of file diff --git a/README.md b/README.md @@ -184,26 +184,7 @@ To enable WebSockets notifications, an external reverse proxy is necessary, and - Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`. - If using Docker, you may need to map both ports with the `-p` flag -An example configuration is included next for a [Caddy](https://caddyserver.com/) proxy server, and assumes the proxy is running in the same computer as `bitwarden_rs`: - -```r -localhost:2015 { - # The negotiation endpoint is also proxied to Rocket - proxy /notifications/hub/negotiate 0.0.0.0:80 { - transparent - } - - # Notifications redirected to the websockets server - proxy /notifications/hub 0.0.0.0:3012 { - websocket - } - - # Proxy the Root directory to Rocket - proxy / 0.0.0.0:80 { - transparent - } -} -``` +Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file. Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port. @@ -380,7 +361,7 @@ docker build -t bitwarden_rs . ## Building binary -For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md). +For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md). ## Available packages