Hello guys, so I have a problem. I am reworking my Linode setup so that I can have my Nextcloud data stored on my hardware instead of on my Linode. Even though I have full control of the server, it is still someone else’s hardware and I have no real way to tell if there isn’t a backdoor or something. Well anyway, I’d also like to set up Bitwarden. Ideally I’d put Bitwarden on the same machine as my Nextcloud server. However, this is proving more and more difficult. I am very new to docker, and lack much of the knowledge necessary to set up a [relatively] simple installation even on my Linode. I say that this is relatively simple only because my needs mean that I cannot accept Bitwarden’s defaults. I have an Nginx server running on the host Linux machine. This means that it is already bound to ports 443 and 80. I know that Docker supports binding the ports inside the container to a completely different port on the host. But the only way I know how to do this is through the docker run -p 8080:80 command for example. Yet Bitwarden doesn’t use this to be set up. So how can I fix these ports’ problems? Another problem I have is with SSL. I think I have thought up a solution while typing this draft actually. I do not want to use any of Bitwarden’s default SSL support options, since I already have a (better) system implemented. This means that I should be able to configure Nginx on the host to the SSL certs’ paths when I proxy it back to the docker container. The problem is that I don’t know if I need to do anything else within Bitwarden’s docker container. Before I was trying to figure out how to show the Bitwarden container the paths to the certs on the host machine, but the other solution is actually doable.
I think the simplest solution would be to leave the docker container as default and use a reverse proxy to distribute the traffic based on fqdn (instead of having unique ports for each service). This would also allow you to configure whatever certificate you want on the proxy without messing with the bitwarden container.
I am confused? The docker container is on the same machine as my Nginx webserver… Bitwarden, by default is set to bind to ports 80 and 443, but Nginx on the host machine is already bound to those ports.
Bitwarden could open ports only on 127.0.0.1, then the proxy would be able to bind on the public address and use something like example.com/bitwarden to proxy through to your Bitwarden container.
Docker containers usually have their own ip address behind an internal NAT layer. A reverse proxy can distribute incoming traffic on a single port to different destinations based on the fqdn. HAproxy can do this as well as nginx I believe.
I am going to use https://bitwarden.linuxdragon.dev because the root domain has a different purpose btw. Will what you said still work?
Basically in nginx, you have one server block that listens for nextcloud.linuxdragon.dev (or whatever) and one block that listens for bitwarden.linuxdragon.dev. Determined by the server_name in the server block. They both can listen on port 443, it’s just nginx will select where to listen to the traffic on by which domain name it came from.
Okay, I get how to configure Nginx to be a reverse proxy. The problem is that Bitwarden wants to bind to port 443, but that one is being used by the Nginx server on the host machine. Even when I set the value in config.yml to port 8080 and 8443, for example, Bitwarden errors out saying that it could not bind to port 443.
ERROR: for bitwarden-nginx Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (aa3abf1a6b360320c72819fb858ff29d6a6341992ef09ac5aff4b8df40730ec2): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use
ERROR: for nginx Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (aa3abf1a6b360320c72819fb858ff29d6a6341992ef09ac5aff4b8df40730ec2): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use
ERROR: Encountered errors while bringing up the project.
The Bitwarden server is in docker right?
If so, let it listen inside the container to port 80, but then map the external side to 8080 or whatever (it’s arbitrary as long as it does not interfere with anything else you want to run the on the host). Like -p 8080:80.
Then in nginx, do the reverse proxy to 128.0.0.1:8080 like:
proxy_pass http://127.0.0.1:8080/;
Yeah, but how do I use the -p flag since Bitwarden uses it’s own ./bitwarden.sh start script? I can use the config.yml I believe. This is a docker-compose file, right? Well I do not know how to do that without using the docker run command…
I’m looking at their docs…
Seems like you edit bwdata/config.yml, then run bitwarden.sh rebuild
That will change the ports in the docker compose file.
Yeah, but I have tried that, but it doesn’t seem to work.
What are the http_port and https_port settings in ./bwdata/config.yml and what are the ports settings for the nginx container (should be next to the bottom) in ./bwdata/docker/docker-compose.yml?
In ./bwdata/docker/docker-compose.yml:
image: bitwarden/nginx:1.38.4
container_name: bitwarden-nginx
restart: always
depends_on:
- web
- admin
- api
- identity
ports:
- '80:8080'
- '443:8443'
And in ./bwdata/config.yml:
# Full URL for accessing the installation from a browser. (Required)
url: http://bitwarden.linuxdragon.dev
#
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
generate_compose_config: true
#
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
generate_nginx_config: true
#
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 80
#
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 443
#
You need to edit the http_port and https_port settings in config.yml.
http_port: 8080
https_port:8081
then run bitwarden.sh rebuild
Oh… that’s got to be what I did wrong. Thanks so much. I feel stupid now.
Sorry, but new issue. When I run nginx -t it says:
nginx: [emerg] "proxy_pass" directive is not allowed here in /etc/nginx/nginx.conf.d/93-bitwarden.linuxdragon.dev.conf:10
nginx: configuration file /etc/nginx/nginx.conf test failed
And here is the offending nginx config:
redacted
Okay I put the proxy_pass header in a location / block, but now I get a new error that doesn’t make sense whatsoever. It is saying that a } is unexpected, but my syntax seems correct
#HTTPS Port 443 Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bitwarden.linuxdragon.dev;
location / {
proxy_pass 127.0.0.1:8443
}
# SSL Configuration
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
ssl_certificate /etc/letsencrypt/live/linuxdragon.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/linuxdragon.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#HTTP Port 80 Configuration
server {
if ($host = linuxdragon.dev) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name linuxdragon.dev www.linuxdragon.dev;
listen 80;
return 404; # managed by Certbot
}