A docker-compose ready package to run Vaultwarden proxified with Caddy server. This setup provides a Vaultwarden server with support of websocket notifications.
The goal is to keep the Synology NAS system untouched to be upgrade-proof. This is the reason why caddy server is used to enable the websocket notifications. Synology do not allow advanced setting of their Nginx reverse proxy and ports 80/443 are not free. We will use the embedded reverse proxy and forward the request on some other ports. This is the reason why Vaultwarden server is not set to use SSL because behind 2 proxies.
Despite this has been made to run on Synology NAS, this should run on other systems with / without minor adaptations.
- Documentation
- Pre-requisite
- Installation
- Setup
- Startup and Maintenance
- Hardening
- To do
- Collaboration
- A Docker compatible Synology NAS
- An up and running Docker package
- A SSH client
- A domain name with Let's Encrypt certs enabled. This part is off-topic here.
As convention, we will use as example the following
- The domain :
bw.yourdomain.com - Folder used :
/volumeX/docker/to be personnalized to your DSM setup
- Download this repo
- Unzip and review
docker-compose_bitwarden-caddy.ymlsettings - Copy this repo content to
/volumeX/docker/
You will first need to access the admin page to fine tune the Vaultwarden server. Beware, if accessed once, it will be enabled in /data/config.json whatever are the Environment variables. You'll need to disable the admin panel from itself.
- On Synology's DSM GUI
- Go to
Settings>Application Portal>Reverse proxy - Add a new entry for
HTTPS- Name : Bitwarden entry point
- Source protocol :
HTTPS - source domain :
bw.yourdomain.com - port :
443 - check
HSTSandHTTP/2 - destination protocol :
HTTP - destination host:
localhost - port :
8080 - In Custom Headers tab, click the drop down list next to add button and choose
websockets
- Add a new entry for
HTTP- Make sure webstation is running with a dummy page to be served. This is only as fallback.
- Name : Bitwarden entry point HTTP
- Source protocol :
HTTP - source domain :
bw.yourdomain.com - port :
80 - destination protocol :
HTTP - destination host:
localhost - port :
80
- Go to
- Using a terminal, connect through SSH
- Connect your admin account with password
- Gain root using
sudo -iwith your admin password cd /volumeX/docker/- Pull needed images
docker-compose -f docker-compose_bitwarden-caddy.yml pull - Ready for a first run :
docker-compose -f docker-compose_bitwarden-caddy.yml up
If everything goes well, the prompt will let you know the containers are started and wait until a ctrl + C is triggered to stop them. Test the accesses and start the Birwarden_RS fine tune at https://bw.yourdomain.com/admin. Once finished disable the access to admin panel from itself.
Do not forget to install the clients for desktops, browers and mobile. Test their connection.
Shutdown the servers issuing a ctrl + C in the terminal
Once setup is finished, you're ready to launche your "production" server. Review all the settings and environment varaibles in the .yml file. Test it using the same docker-compose -f docker-compose_bitwarden-caddy.yml up as previously. If anything goes well, stop them and run as detached with the following command.
`docker-compose -f docker-compose_bitwarden-caddy.yml up -d`
Upgrade on a regular basis the servers as packages continue to evolve on a daily/weekly basis. From time to time, Run from a terminal the following commands as root.
cd /volumeX/docker/
docker-compose -f docker-compose_bitwarden-caddy.yml down
docker-compose -f docker-compose_bitwarden-caddy.yml pull
docker-compose -f docker-compose_bitwarden-caddy.yml up -dIn order to keep a clean system, from time to time, use this tutoriel.
Your Vaultwarden instance is now up and running. It is not yet hardened to brute-force attacks. Please, install Fail2ban to avoid loosing your account control. Here a way to run Fail2Ban in Docker on Synology NAS
Modifying Caddyfile to filter ip addresses allowed to access /admin. Does not work yet on Caddy V2.0 beta20. ipfilter directive not supported
Feel free to propose any optimization through pull requests