Skip to content

Instantly share code, notes, and snippets.

@eizedev

eizedev/vaultwarden.conf

Last active July 6, 2023 14:59
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save eizedev/06a6727dc341745a4845fe04ccc97b05 to your computer and use it in GitHub Desktop.
Save eizedev/06a6727dc341745a4845fe04ccc97b05 to your computer and use it in GitHub Desktop.
Download ZIP
vaultwarden (bitwarden) nginx configuration on synology NAS (DSM 7 compatible) using synology docker (Supporting bitwardens LiveSync with Websocket configuration)
Raw
vaultwarden.conf
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name CHANGE_SERVERNAME;
ssl_certificate /usr/syno/etc/certificate/system/default/ECC-fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/system/default/ECC-privkey.pem;
ssl_trusted_certificate /usr/syno/etc/certificate/system/default/ECC-fullchain.pem;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;
location / {
proxy_connect_timeout 15;
proxy_read_timeout 15;
proxy_send_timeout 15;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:5151;
}
location /notifications/hub {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:5152;
}
location /notifications/hub/negotiate {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:5151;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
}
Raw
vaultwarden.md

Vaultwarden on synology

This example configuration, especially the docker run command, is intended for use on synology nas devices (DSM 7 and DSM 6).

In this example, vaultwarden web will run on port 4444. Vaultwarden docker container will run on port 5151 and websocket (rocket) will run on port 5152. These ports will be mapped inside the container. Also the folder /volume1/docker/vaultwarden will be mapped to /data inside the container.

  • Nginx: Change Servername to your synology server name where vaultwarden should be accessible
  • Nginx: change the ssl_certificate options to your needs
  • Docker: Change Timezone (--env "TZ=Europe/Berlin") to your needs.

Vaultwarden nginx conf

  • Copy vaultwarden.conf to /usr/local/etc/nginx/sites-enabled/vaultwarden.conf
  • Restart nginx service synoservice -restart nginx
    • In case of errors, check logs located in /var/log/nginx/

Vaultwarden docker

docker run

docker run \
  --name "vaultwarden" \
  --privileged \
  --runtime "runc" \
  --volume "/volume1/docker/vaultwarden:/data:rw" \
  --log-driver "db" \
  --restart "always" \
  --publish "0.0.0.0:5152:3012/tcp" \
  --publish "0.0.0.0:5151:80/tcp" \
  --network "bridge" \
  --hostname "vaultwarden" \
  --expose "3012/tcp" \
  --expose "80/tcp" \
  --env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
  --env "LOG_FILE=/data/bitwarden.log" \
  --env "TZ=Europe/Berlin" \
  --env "WEBSOCKET_ENABLED=true" \
  --detach \
  --tty \
  --interactive \
  "vaultwarden/server:latest" \
  "/start.sh"

Additional Info

LiveSync - WebSocket Configuration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment