starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Docker-compose with nginx for raspberry pi #1792

New Issue
Closed
opened 2025-10-09 17:30:18 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2025-10-09 17:30:18 +03:00
Owner
Copy Link

Originally created by @MeiRos on GitHub.

I'm still studying Docker and if there are pros who have some spare time, it would be nice if you can read through my setup and say something about it. Thank You! :)

docker-compose.yml

#docker-compose.yml
version: '3'
services:
 bitwarden:
  image: bitwardenrs/server:raspberry
  restart: always
  volumes:
      - ./bw-data/:/data/
  environment:
   WEBSOCKET_ENABLED: 'true' # Required to use websockets
   SIGNUPS_ALLOWED: 'true'
   DOMAIN: 'https://home.domain'
   SMTP_HOST: "smtp.net"
   SMTP_FROM: "no-reply@home.domain"
   SMTP_PORT: "587"
   SMTP_SSL: "true"
   SMTP_USERNAME: "apikey"
   SMTP_PASSWORD: "xxyyyzzbbccdd"
   LOG_FILE: "/data/bitwarden.log"
   LOG_LEVEL: "warn"
   TZ: "Europe/xxx"
 nginx-proxy:
  container_name: nginx-proxy
  image: nginx:mainline-alpine
  restart: always
  ports:
      - 80:80
      - 443:443
  volumes:
      - /home/pi/nginx/:/etc/nginx/conf.d # Site.conf goes here
      - /home/pi/ssl/:/etc/ssl/private/ # Certificate goes here

mysite.conf (edited this file)

server {
  listen 443 ssl http2;
  server_name home.domain;
  server_tokens off;

  # Specify SSL config if using a shared one.
  #include conf.d/ssl/ssl.conf;
  ssl_certificate     /etc/ssl/private/fullchain.pem;
  ssl_certificate_key /etc/ssl/private/key.pem;
  ssl_protocols       TLSv1.3 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!$

  proxy_buffers 16 16k;
  proxy_buffer_size 16k;
  proxy_max_temp_file_size 0;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://bitwarden:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://bitwarden:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden:80;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
  #  auth_basic "Private";
  #  auth_basic_user_file /path/to/htpasswd_file;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://bitwarden:80;
    allow 192.168.1.1/16;
    deny all;
  }

}

Mysite.conf is mostly taken from the Wiki. It's Shauder's proxy example. I did some modifications.
I had warnings in the log. 2020/02/26 17:22:32 [warn] 7#7: *33 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/01/0000000011 while reading upstream, client: 192.168.1.25, server: home.domain, request: "GET /fonts/Open_Sans-normal-400.woff HTTP/2.0", upstream: "http://192.168.144.20:80/fonts/Open_Sans-normal-400.woff", host: "home.domain", referrer: "https://home.domain/app/main.bedb15f54ccaf67e0102.css" I tried first to add buffer sizes to 16k, but it didn't help. Then I add temp file size to 0. No more warnings.

If this looks good to everybody, I'd like to add this to Wiki. With this guide you can install Bitwarden_rs and nginx proxy very easily on Raspberry pi.

I use acme.sh to get certificates.

Originally created by @MeiRos on GitHub. I'm still studying Docker and if there are pros who have some spare time, it would be nice if you can read through my setup and say something about it. Thank You! :) docker-compose.yml ``` #docker-compose.yml version: '3' services: bitwarden: image: bitwardenrs/server:raspberry restart: always volumes: - ./bw-data/:/data/ environment: WEBSOCKET_ENABLED: 'true' # Required to use websockets SIGNUPS_ALLOWED: 'true' DOMAIN: 'https://home.domain' SMTP_HOST: "smtp.net" SMTP_FROM: "no-reply@home.domain" SMTP_PORT: "587" SMTP_SSL: "true" SMTP_USERNAME: "apikey" SMTP_PASSWORD: "xxyyyzzbbccdd" LOG_FILE: "/data/bitwarden.log" LOG_LEVEL: "warn" TZ: "Europe/xxx" nginx-proxy: container_name: nginx-proxy image: nginx:mainline-alpine restart: always ports: - 80:80 - 443:443 volumes: - /home/pi/nginx/:/etc/nginx/conf.d # Site.conf goes here - /home/pi/ssl/:/etc/ssl/private/ # Certificate goes here ``` mysite.conf **(edited this file)** ``` server { listen 443 ssl http2; server_name home.domain; server_tokens off; # Specify SSL config if using a shared one. #include conf.d/ssl/ssl.conf; ssl_certificate /etc/ssl/private/fullchain.pem; ssl_certificate_key /etc/ssl/private/key.pem; ssl_protocols TLSv1.3 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!$ proxy_buffers 16 16k; proxy_buffer_size 16k; proxy_max_temp_file_size 0; # Allow large attachments client_max_body_size 128M; location / { proxy_pass http://bitwarden:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /notifications/hub { proxy_pass http://bitwarden:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_pass http://bitwarden:80; } # Optionally add extra authentication besides the AUTH_TOKEN # If you don't want this, leave this part out location /admin { # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ # auth_basic "Private"; # auth_basic_user_file /path/to/htpasswd_file; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://bitwarden:80; allow 192.168.1.1/16; deny all; } } ``` Mysite.conf is mostly taken from the Wiki. It's Shauder's proxy example. I did some modifications. I had warnings in the log. `2020/02/26 17:22:32 [warn] 7#7: *33 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/01/0000000011 while reading upstream, client: 192.168.1.25, server: home.domain, request: "GET /fonts/Open_Sans-normal-400.woff HTTP/2.0", upstream: "http://192.168.144.20:80/fonts/Open_Sans-normal-400.woff", host: "home.domain", referrer: "https://home.domain/app/main.bedb15f54ccaf67e0102.css"` I tried first to add buffer sizes to 16k, but it didn't help. Then I add temp file size to 0. No more warnings. If this looks good to everybody, I'd like to add this to Wiki. With this guide you can install Bitwarden_rs and nginx proxy very easily on Raspberry pi. I use acme.sh to get certificates.
OVERLORD commented 2025-10-09 17:30:21 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Closed due to inactivity.

@dani-garcia commented on GitHub: Closed due to inactivity.
OVERLORD commented 2025-10-09 17:30:22 +03:00
Author
Owner
Copy Link

@shauder commented on GitHub:

I do not run on a RPi. My entire stack is running on an Intel 4790k with 32gb of RAM. It is quite a beefy server. It was my old gaming computer before I decided to upgrade.

Domain is actually named as my domain but I changed it. I have several domains and I store the certificate config in them.

calvin% cat /data/docker/nginx/conf.d/ssl/domain.conf
ssl_certificate /etc/nginx/conf.d/ssl/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/live/domain.com/privkey.pem;

The oauth config is for using this: https://github.com/pusher/oauth2_proxy

calvin% cat /data/docker/nginx/conf.d/oauth/oauth.conf
  location /oauth2/ {
    proxy_pass       http://oauth2;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }

  location /oauth2/auth {
    proxy_pass       http://oauth2;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    proxy_set_header Content-Length          "";
    proxy_pass_request_body                  off;
  }
@shauder commented on GitHub: I do not run on a RPi. My entire stack is running on an Intel 4790k with 32gb of RAM. It is quite a beefy server. It was my old gaming computer before I decided to upgrade. Domain is actually named as my domain but I changed it. I have several domains and I store the certificate config in them. ``` calvin% cat /data/docker/nginx/conf.d/ssl/domain.conf ssl_certificate /etc/nginx/conf.d/ssl/live/domain.com/fullchain.pem; ssl_certificate_key /etc/nginx/conf.d/ssl/live/domain.com/privkey.pem; ``` The oauth config is for using this: https://github.com/pusher/oauth2_proxy ``` calvin% cat /data/docker/nginx/conf.d/oauth/oauth.conf location /oauth2/ { proxy_pass http://oauth2; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; } location /oauth2/auth { proxy_pass http://oauth2; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; proxy_set_header Content-Length ""; proxy_pass_request_body off; } ```
OVERLORD commented 2025-10-09 17:30:22 +03:00
Author
Owner
Copy Link

@MeiRos commented on GitHub:

Thanks for sharing @shauder Great example for me to study. Can you please share your domain.conf and oauth.conf? 😊

The warning is quite strange indeed. I don't know if it's just because of my Raspi and WiFi. With the help of Google I found that temp size can be 0. There were thoughts that client connection is slow and that's why temp file will be written if it's possible. In my case temp file is not making my system faster and looks like it's working with 0 setting. So unnecessary step is disabled.

Btw, are you running Bitwarden_rs also on Raspi?

PS
Sorry, I've been busy. It took a few days before I had time for this.

@MeiRos commented on GitHub: Thanks for sharing @shauder Great example for me to study. Can you please share your domain.conf and oauth.conf? :blush: The warning is quite strange indeed. I don't know if it's just because of my Raspi and WiFi. With the help of Google I found that temp size can be 0. There were thoughts that client connection is slow and that's why temp file will be written if it's possible. In my case temp file is not making my system faster and looks like it's working with 0 setting. So unnecessary step is disabled. Btw, are you running Bitwarden_rs also on Raspi? PS Sorry, I've been busy. It took a few days before I had time for this.
OVERLORD commented 2025-10-09 17:30:23 +03:00
Author
Owner
Copy Link

@shauder commented on GitHub:

I probably need to revisit my own settings but this is my full config. Not sure why you had to add the temp file size details.

server {
  listen 443 ssl http2;
  server_name vault.*;
  
  include conf.d/ssl/domain.conf;
  include conf.d/oauth/oauth.conf;

  location / {
    include conf.d/proxy-confs/proxy.conf;
    proxy_pass http://bitwardenrs;
  }

  location /admin {
    include conf.d/proxy-confs/proxy.conf;
    include conf.d/oauth/oauth-proxy.conf;
    proxy_pass http://bitwardenrs;
  }

  location /notifications/hub {
    proxy_pass http://bitwardenrs:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    include conf.d/proxy-confs/proxy.conf;
    proxy_pass http://bitwardenrs;
  }
}

The proxy.conf file included has these details in it.

calvin% cat /data/docker/nginx/conf.d/proxy-confs/proxy.conf 
client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
@shauder commented on GitHub: I probably need to revisit my own settings but this is my full config. Not sure why you had to add the temp file size details. ``` server { listen 443 ssl http2; server_name vault.*; include conf.d/ssl/domain.conf; include conf.d/oauth/oauth.conf; location / { include conf.d/proxy-confs/proxy.conf; proxy_pass http://bitwardenrs; } location /admin { include conf.d/proxy-confs/proxy.conf; include conf.d/oauth/oauth-proxy.conf; proxy_pass http://bitwardenrs; } location /notifications/hub { proxy_pass http://bitwardenrs:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { include conf.d/proxy-confs/proxy.conf; proxy_pass http://bitwardenrs; } } ``` The proxy.conf file included has these details in it. ``` calvin% cat /data/docker/nginx/conf.d/proxy-confs/proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; #proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1792
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?