diff --git a/PROXY.md b/PROXY.md new file mode 100644 index 00000000..f8facb80 --- /dev/null +++ b/PROXY.md @@ -0,0 +1,80 @@ +# Proxy examples + +In this document, `` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`. +The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended. + +When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured. + +## Caddy + +```nginx +localhost:443 { + # The negotiation endpoint is also proxied to Rocket + proxy /notifications/hub/negotiate :80 { + transparent + } + + # Notifications redirected to the websockets server + proxy /notifications/hub :3012 { + websocket + } + + # Proxy the Root directory to Rocket + proxy / :80 { + transparent + } + + tls ${SSLCERTIFICATE} ${SSLKEY} +} +``` + +## Nginx (by shauder) +```nginx +server { + include conf.d/ssl/ssl.conf; + + listen 443 ssl http2; + server_name vault.*; + + location /notifications/hub/negotiate { + include conf.d/proxy-confs/proxy.conf; + proxy_pass http://:80; + } + + location / { + include conf.d/proxy-confs/proxy.conf; + proxy_pass http://:80; + } + + location /notifications/hub { + proxy_pass http://:3012/api/websocket; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +``` + +## Apache (by fbartels) +```apache + + SSLEngine on + ServerName bitwarden.$hostname.$domainname + + SSLCertificateFile ${SSLCERTIFICATE} + SSLCertificateKeyFile ${SSLKEY} + SSLCACertificateFile ${SSLCA} + ${SSLCHAIN} + + ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log + CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined + + RewriteEngine On + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://:3012/$1 [P,L] + + ProxyPass / http://:80/ + + ProxyPreserveHost On + ProxyRequests Off + +``` \ No newline at end of file diff --git a/README.md b/README.md index 3edb7ec7..858f0f66 100644 --- a/README.md +++ b/README.md @@ -184,26 +184,7 @@ To enable WebSockets notifications, an external reverse proxy is necessary, and - Route everything else, including `/notifications/hub/negotiate`, to the standard Rocket server, by default at port `80`. - If using Docker, you may need to map both ports with the `-p` flag -An example configuration is included next for a [Caddy](https://caddyserver.com/) proxy server, and assumes the proxy is running in the same computer as `bitwarden_rs`: - -```r -localhost:2015 { - # The negotiation endpoint is also proxied to Rocket - proxy /notifications/hub/negotiate 0.0.0.0:80 { - transparent - } - - # Notifications redirected to the websockets server - proxy /notifications/hub 0.0.0.0:3012 { - websocket - } - - # Proxy the Root directory to Rocket - proxy / 0.0.0.0:80 { - transparent - } -} -``` +Example configurations are included in the [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) file. Note: The reason for this workaround is the lack of support for WebSockets from Rocket (though [it's a planned feature](https://github.com/SergioBenitez/Rocket/issues/90)), which forces us to launch a secondary server on a separate port. @@ -380,7 +361,7 @@ docker build -t bitwarden_rs . ## Building binary -For building binary outside the Docker environment and running it locally without docker, please see [build instructions](BUILD.md). +For building binary outside the Docker environment and running it locally without docker, please see [build instructions](https://github.com/dani-garcia/bitwarden_rs/blob/master/BUILD.md). ## Available packages