Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker-compose: bitwarden/nginx running behing other reverse proxy should bind to localhost #325

Closed
Kriechi opened this issue Jul 14, 2018 · 7 comments
Closed

docker-compose: bitwarden/nginx running behing other reverse proxy should bind to localhost #325

Kriechi opened this issue Jul 14, 2018 · 7 comments

Comments

@Kriechi
Copy link

Kriechi commented Jul 14, 2018

Currently the docker-compose port binding with a custom port looks like:

     ports:
       - '1234:8080'

This binds to a public port accessible from anywhere. Since I'm running this behind a reverse proxy, as configured during the setup, I didn't not expect this as it circumvents my firewall rules!

I changed my docker-compose.yml to bind the port to localhost instead:

     ports:
       - '127.0.0.1:1234:8080'

Am I unaware of a deeper concept here, or should this be fixed in the setup scripts?
@xiaoveiti
Copy link

xiaoveiti commented Jul 16, 2018
edited

Ups, didn't red your post, opened an issue like this a few minutes ago. Had the same problem, thanks for the solutions. But now I've the same question - haha

#326

@xiaoveiti xiaoveiti mentioned this issue Jul 16, 2018
Closed
@fabwu
Copy link

fabwu commented Aug 17, 2018

I think we can change this line in the setup script to fix this issue.

@Kriechi When we just bind the port to localhost we might run into troubles if someone will run his instance on a custom port without a reverse proxy or is there no such use case?

@xiaoveiti
Copy link

Thanks for the reply! Of cause I cannot answer this question, but I guess nobody will just run a single bitwarden on a machine, ...at least not without a reverse proxy.

@Kriechi
Copy link
Author

Kriechi commented Aug 17, 2018

@fabwu yes, I guess this looks like the right place to fix it.
I'm aware that things get complex pretty fast when dealing with reverse proxies etc.
If anyone knows a different way to fix it, I'm happy to give it a try.

@seffyroff
Copy link

seffyroff commented Aug 17, 2018
edited

I deploy with no port bindings, and my reverse proxy communicates with the BW nginx container via an overlay network, so everything is contained and controlled properly. (I use Traefik for RP, and Docker Swarm for orchestration).

@fabwu
Copy link

fabwu commented Aug 19, 2018

There are so many different setup it's impossible to make everybody happy. It's just that I don't like the way the port binding is handled by default.

I'll provide a PR with the fix and for other setups one can override docker-compose.yml.

This was referenced Aug 19, 2018
Closed
Closed
@kspearrin
Copy link
Member

310e6bc will add the ability to specify whatever port binding you want within the new ./bwdata/config.yml file.

It will be available in the next version.

Example:

# 
# Full URL for accessing the installation from a browser. (Required)
url: https://bitwarden.company.com
# 
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be responsible
# for maintaining this config file.
generate_compose_config: true
# 
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be responsible
# for maintaining this config file.
generate_nginx_config: true
# 
# Compose file port mapping for HTTP.
http_port: 127.0.0.1:1234
# 
# Compose file port mapping for HTTPS.
https_port: 127.0.0.1:1235
# 
# Set up the Nginx config file for SSL.
ssl: false
# 
# Installation uses a managed Let's Encrypt certificate.
ssl_managed_lets_encrypt: false
# 
# The actual certificate. (Required if using SSL without managed Let's Encrypt)
# Note: The `./ssl` directory is mapped to `/etc/ssl` within the container.
ssl_certificate_path: /etc/ssl/localhost/certificate.crt
# 
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: The `./ssl` directory is mapped to `/etc/ssl` within the container.
ssl_key_path: /etc/ssl/localhost/private.key
# 
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: The `./ssl` directory is mapped to `/etc/ssl` within the container.
ssl_ca_path: /etc/ssl/localhost/ca.crt
# 
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: The `./ssl` directory is mapped to `/etc/ssl` within the container.
ssl_diffie_hellman_path: 
# 
# Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile app live sync.
push_notifications: true
# 
# Use a docker volume instead of a host-mapped volume for the persisted database.
# WARNING: Changing this value will cause you to lose access to the existing persisted database.
database_docker_volume: false

@AdrienPoupa AdrienPoupa mentioned this issue Apr 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Kriechi @kspearrin @fabwu @seffyroff @xiaoveiti