starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 17:23:04 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

My setup on docker Synology NAS. Is it correct this way? #2321

New Issue
Closed
opened 2025-10-09 17:58:59 +03:00 by OVERLORD · 21 comments
OVERLORD commented 2025-10-09 17:58:59 +03:00
Owner
Copy Link

Originally created by @BobWs on GitHub.

So I have installed this image on docker Synology NAS and I have some questions about the setup.

This is my installation/setup for now:
Folders mapped:
docker/bw-data/ to /data/

Ports mapped:
Local port: 3012 to container port 3012
Local port: 81 to container port 80 (my local 80 port is in use by a webserver so I had to choose an alternative port)

The container is served behind an reverse proxy (to server SSL connection outside of the LAN with my own domain)

Reverse Proxy setup: (setup though Synology DSM GUI)
Source
Protocol: HTTPS
Hostname: vault.mydomain.com
Port: 443

Destination
Protocol: HTTP
Hostname: localhost
Port: 81

When browsing to https://vault.mydomain.com I see the Bitwarden Web UI and I can login and create creadentials etc. (desktop app and mobile apps all works fine)
But when I change the proxy destination port to 3012 I’m getting an error Web-socket page.
Also when browsing my-ip-address:3012 I’m getting the same error. Browsing my-ip-address:80 I see the Web UI.
This setup works fine for me, but I was wondering if this setup that is working for me is the right path or is it just dumb luck and that it isn't necessary to specify port 3012.

Also how do I fix the notification error warning?

error in the log file:
ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

Originally created by @BobWs on GitHub. So I have installed this image on docker Synology NAS and I have some questions about the setup. This is my installation/setup for now: Folders mapped: docker/bw-data/ to /data/ Ports mapped: Local port: 3012 to container port 3012 Local port: 81 to container port 80 (my local 80 port is in use by a webserver so I had to choose an alternative port) The container is served behind an reverse proxy (to server SSL connection outside of the LAN with my own domain) Reverse Proxy setup: (setup though Synology DSM GUI) Source Protocol: HTTPS Hostname: vault.mydomain.com Port: 443 Destination Protocol: HTTP Hostname: localhost Port: 81 When browsing to https://vault.mydomain.com I see the Bitwarden Web UI and I can login and create creadentials etc. (desktop app and mobile apps all works fine) But when I change the proxy destination port to 3012 I’m getting an error Web-socket page. Also when browsing my-ip-address:3012 I’m getting the same error. Browsing my-ip-address:80 I see the Web UI. This setup works fine for me, but I was wondering if this setup that is working for me is the right path or is it just dumb luck and that it isn't necessary to specify port 3012. Also how do I fix the notification error warning? **error in the log file:** ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.
OVERLORD added the question label 2025-10-09 17:58:59 +03:00
OVERLORD commented 2025-10-09 17:59:03 +03:00
Author
Owner
Copy Link

@fbartels commented on GitHub:

Hi @BobWs ,

the Nginx configuration ui of Synology is not sophisticated enough to manage the extra path for the websocket connection. But luckily you can also manage vhosts for Nginx manually, for this you only have to place the configuration file into /usr/local/etc/nginx/sites-enabled.

@fbartels commented on GitHub: Hi @BobWs , the Nginx configuration ui of Synology is not sophisticated enough to manage the extra path for the websocket connection. But luckily you can also manage vhosts for Nginx manually, for this you only have to place the configuration file into `/usr/local/etc/nginx/sites-enabled`.
OVERLORD commented 2025-10-09 17:59:03 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

Hi @fbartels
Thanks for your help. I've created a proxy file and placed it in /usr/local/etc/nginx/sites-enabled

My file is called "bitwarden_proxy.conf" and looks like this:

server {
include conf.d/ssl/ssl.conf;

listen 443 ssl http2;
server_name vault.*;

location /notifications/hub/negotiate {
include conf.d/proxy-confs/proxy.conf;
proxy_pass http://localhost:81;
}

location / {
include conf.d/proxy-confs/proxy.conf;
proxy_pass http://localhost:81;
}

location /notifications/hub {
proxy_pass http://localhost:3012/api/websocket;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

But I still get the ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

What am I doing wrong?

@BobWs commented on GitHub: Hi @fbartels Thanks for your help. I've created a proxy file and placed it in /usr/local/etc/nginx/sites-enabled My file is called "bitwarden_proxy.conf" and looks like this: server { include conf.d/ssl/ssl.conf; listen 443 ssl http2; server_name vault.*; location /notifications/hub/negotiate { include conf.d/proxy-confs/proxy.conf; proxy_pass http://localhost:81; } location / { include conf.d/proxy-confs/proxy.conf; proxy_pass http://localhost:81; } location /notifications/hub { proxy_pass http://localhost:3012/api/websocket; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } But I still get the ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info. What am I doing wrong?
OVERLORD commented 2025-10-09 17:59:04 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

Your setup sounds wrong. You need to proxy just specific path to the 3012 port, the rest should still be routed to 81 in your case. See documentation. I'm not sure how/if DSM GUI allows that setup though. Check out PROXY.md for how is it configured in other proxy servers.

Note that the WebSockets configuration is not strictly necessary, it just enables live sync in Vault and browser extensions.

@mprasil commented on GitHub: Your setup sounds wrong. You need to proxy just specific path to the `3012` port, the rest should still be routed to `81` in your case. See [documentation](https://github.com/dani-garcia/bitwarden_rs#enabling-websocket-notifications). I'm not sure how/if DSM GUI allows that setup though. Check out [PROXY.md](https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md) for how is it configured in other proxy servers. Note that the WebSockets configuration is not strictly necessary, it just enables live sync in Vault and browser extensions.
OVERLORD commented 2025-10-09 17:59:04 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

From the screenshot of proxy settings it doesn't look like that supports the required per-path setting. You might need to run another container with some other proxy, (say one of the servers we have sample configuration for) and then let synology to proxy that container instead to add HTTPS.

If you want to just use the Synology proxy, then you can't use WebSockets, which honestly isn't really that big deal unless you update your passwords couple times per hour. 😉

@mprasil commented on GitHub: From the screenshot of proxy settings it doesn't look like that supports the required per-path setting. You might need to run another container with some other proxy, (say one of the servers we have sample configuration for) and then let synology to proxy that container instead to add HTTPS. If you want to just use the Synology proxy, then you can't use WebSockets, which honestly isn't really that big deal unless you update your passwords couple times per hour. 😉
OVERLORD commented 2025-10-09 17:59:05 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

This is how it looks like on the synology:
screen shot 2018-09-19 at 15 15 45
screen shot 2018-09-19 at 15 15 49
screen shot 2018-09-19 at 15 15 54
screen shot 2018-09-19 at 15 16 55

What do I need to change? and where?
Thanks!

@BobWs commented on GitHub: This is how it looks like on the synology: ![screen shot 2018-09-19 at 15 15 45](https://user-images.githubusercontent.com/5485820/45755705-63d96600-bc1f-11e8-9466-3931285e6c44.png) ![screen shot 2018-09-19 at 15 15 49](https://user-images.githubusercontent.com/5485820/45755722-69cf4700-bc1f-11e8-914a-fa0c184ce3b5.png) ![screen shot 2018-09-19 at 15 15 54](https://user-images.githubusercontent.com/5485820/45755728-6cca3780-bc1f-11e8-844f-6b31f5cb04b6.png) ![screen shot 2018-09-19 at 15 16 55](https://user-images.githubusercontent.com/5485820/45755731-6e93fb00-bc1f-11e8-86df-989462599cb5.png) What do I need to change? and where? Thanks!
OVERLORD commented 2025-10-09 17:59:06 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

I copied from this link
https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md

I will give it a try!

@BobWs commented on GitHub: I copied from this link https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md I will give it a try!
OVERLORD commented 2025-10-09 17:59:07 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

I can't say that I know my way around nginx, but proxy_pass http://localhost:3012/api/websocket; should probably be just proxy_pass http://localhost:3012;, like in all the other proxy examples. I'm not sure where the /api/websocket part comes from.

Didn't make any difference Error still in log

@BobWs commented on GitHub: > I can't say that I know my way around nginx, but `proxy_pass http://localhost:3012/api/websocket;` should probably be just `proxy_pass http://localhost:3012;`, like in all the other proxy examples. I'm not sure where the `/api/websocket` part comes from. Didn't make any difference Error still in log
OVERLORD commented 2025-10-09 17:59:07 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

I can't say that I know my way around nginx, but proxy_pass http://localhost:3012/api/websocket; should probably be just proxy_pass http://localhost:3012;, like in all the other proxy examples. I'm not sure where the /api/websocket part comes from.

@dani-garcia commented on GitHub: I can't say that I know my way around nginx, but `proxy_pass http://localhost:3012/api/websocket;` should probably be just ` proxy_pass http://localhost:3012;`, like in all the other proxy examples. I'm not sure where the `/api/websocket` part comes from.
OVERLORD commented 2025-10-09 17:59:08 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Is there a chance that it's still using the rule created in the GUI instead of the conf file? Other than that i don't have any idea.

@dani-garcia commented on GitHub: Is there a chance that it's still using the rule created in the GUI instead of the conf file? Other than that i don't have any idea.
OVERLORD commented 2025-10-09 17:59:08 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

So do I have to delete the GUI rule?

@BobWs commented on GitHub: So do I have to delete the GUI rule?
OVERLORD commented 2025-10-09 17:59:09 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Probably something like this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name myvault.domain.com;

    ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem;

    ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem;

    allow 192.168.178.0/24;
    allow 142.176.14.58;

    deny all;

    location /notifications/hub/negotiate {
        proxy_pass http://localhost:81;
    }

    location /notifications/hub {
        proxy_pass http://localhost:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location / {
        proxy_set_header        Host                $http_host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;

        proxy_pass http://localhost:81;
    }
}
@dani-garcia commented on GitHub: Probably something like this: ``` server { listen 443 ssl; listen [::]:443 ssl; server_name myvault.domain.com; ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem; ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem; allow 192.168.178.0/24; allow 142.176.14.58; deny all; location /notifications/hub/negotiate { proxy_pass http://localhost:81; } location /notifications/hub { proxy_pass http://localhost:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_intercept_errors on; proxy_http_version 1.1; proxy_pass http://localhost:81; } } ```
OVERLORD commented 2025-10-09 17:59:09 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

okay thanks I will give it a try!

@BobWs commented on GitHub: okay thanks I will give it a try!
OVERLORD commented 2025-10-09 17:59:09 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

I'm not sure, but maybe the GUI has precedence over the config file, so it's worth a shot, I think. Maybe reboot after the change just to make sure.

@dani-garcia commented on GitHub: I'm not sure, but maybe the GUI has precedence over the config file, so it's worth a shot, I think. Maybe reboot after the change just to make sure.
OVERLORD commented 2025-10-09 17:59:10 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is.

This is the folder where I found the proxy file of synology GUI /etc/nginx/app.d

And this is the configuration what is inside the proxy file:

server {
listen 443 ssl;
listen [::]:443 ssl;

server_name myvault.domain.com;

ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem;

ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem;

allow 192.168.178.0/24;

allow 142.176.14.58;

deny all;

location / {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_intercept_errors  on;
    proxy_http_version      1.1;

    proxy_pass http://localhost:81;

}

}

So can you please help me how to edit the file with the right configurations?

@BobWs commented on GitHub: So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is. This is the folder where I found the proxy file of synology GUI /etc/nginx/app.d And this is the configuration what is inside the proxy file: server { listen 443 ssl; listen [::]:443 ssl; server_name myvault.domain.com; ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem; ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem; allow 192.168.178.0/24; allow 142.176.14.58; deny all; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_intercept_errors on; proxy_http_version 1.1; proxy_pass http://localhost:81; } } So can you please help me how to edit the file with the right configurations?
OVERLORD commented 2025-10-09 17:59:10 +03:00
Author
Owner
Copy Link

@fbartels commented on GitHub:

So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is.

the one file you found was the file automatically created by the nginx gui, if you edit this, you changes will likely be overwritten by synology when you use the nginx gui to edit another host. while you may use it as a template, the update safe way would be to move your bitwarden nginx configuration into site-enabled.

@fbartels commented on GitHub: > So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is. the one file you found was the file automatically created by the nginx gui, if you edit this, you changes will likely be overwritten by synology when you use the nginx gui to edit another host. while you may use it as a template, the update safe way would be to move your bitwarden nginx configuration into site-enabled.
OVERLORD commented 2025-10-09 17:59:11 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

So Synology has updated their GUI and there is now a setup preference for Web-socket within the reverse proxy GUI setup. I have again tried to setup notification, but it's still not working. Keep getting the error message ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

What am I missing?

screen shot 2018-10-10 at 10 52 08

screen shot 2018-10-10 at 10 51 52

screen shot 2018-10-10 at 13 14 38

screen shot 2018-10-10 at 13 22 19

@BobWs commented on GitHub: So Synology has updated their GUI and there is now a setup preference for Web-socket within the reverse proxy GUI setup. I have again tried to setup notification, but it's still not working. Keep getting the error message `ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.` What am I missing? ![screen shot 2018-10-10 at 10 52 08](https://user-images.githubusercontent.com/5485820/46733483-c22ebd00-cc90-11e8-85bd-e383debc6fed.png) ![screen shot 2018-10-10 at 10 51 52](https://user-images.githubusercontent.com/5485820/46733518-dd013180-cc90-11e8-874a-e6c8ae908d85.png) ![screen shot 2018-10-10 at 13 14 38](https://user-images.githubusercontent.com/5485820/46733532-e38fa900-cc90-11e8-8807-a916882df3e2.png) ![screen shot 2018-10-10 at 13 22 19](https://user-images.githubusercontent.com/5485820/46733542-e8ecf380-cc90-11e8-8649-fef06a98ee49.png)
OVERLORD commented 2025-10-09 17:59:11 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

Unless you can configure it to forward this specific path: /notifications/hub to the 3012 port and everything else including /notifications/hub/negotiate to port 80, it won't work. From the screenshots it doesn't look like the GUI supports that level of configuration.

@mprasil commented on GitHub: Unless you can configure it to forward this specific path: `/notifications/hub` to the `3012` port and everything else **including** `/notifications/hub/negotiate` to port `80`, it won't work. From the screenshots it doesn't look like the GUI supports that level of configuration.
OVERLORD commented 2025-10-09 17:59:11 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

@fbartels I Will give it another try today, changing the proxy file in /etc/nginx/app.d didn’t make any difference.

@BobWs commented on GitHub: @fbartels I Will give it another try today, changing the proxy file in /etc/nginx/app.d didn’t make any difference.
OVERLORD commented 2025-10-09 17:59:12 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

This hasn't had activity in some time, so I'm closing it now.
If this is still an issue, please reopen it.

@dani-garcia commented on GitHub: This hasn't had activity in some time, so I'm closing it now. If this is still an issue, please reopen it.
OVERLORD commented 2025-10-09 17:59:12 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub:

Well it isn't working. When I create a proxy file in /usr/local/etc/nginx/sites-enabled and restart nginx my synology goes crazy and I get an error message: "DSM cannot start up normally because it ran into a problem. Please contact the Synology support team for help."

Then I remove the proxy conf file and restart nginx again and my Synology acts normal again. So It isn't working for my.

Guess I will have to stick with the non notification working version.

@BobWs commented on GitHub: Well it isn't working. When I create a proxy file in /usr/local/etc/nginx/sites-enabled and restart nginx my synology goes crazy and I get an error message: "DSM cannot start up normally because it ran into a problem. Please contact the Synology support team for help." Then I remove the proxy conf file and restart nginx again and my Synology acts normal again. So It isn't working for my. Guess I will have to stick with the non notification working version.
OVERLORD commented 2025-10-09 17:59:13 +03:00
Author
Owner
Copy Link

@Hobbabobba commented on GitHub:

If some users experience problems: remember to change the path to your certs, if you have can´t use the standard cert.
you will find all the certs of your diskstation in /usr/syno/etc/certificate/_archive

@Hobbabobba commented on GitHub: If some users experience problems: remember to change the path to your certs, if you have can´t use the standard cert. you will find all the certs of your diskstation in `/usr/syno/etc/certificate/_archive`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2321
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?