Replies: 1 comment
-
|
Most users run Vaultwarden behind a reverse proxy which in most cases have users offload the SSL. Also, starting in SSL mode means we should generate some kind of self-signed certificate for an unknown or invalid domain, which in the end only creates more confusion. Most tools i know run in http mode and recommend using a reverse proxy. Or they support providing a certificate pre-generated and run on https, which is what Vaultwarden does also. We do not support ACME and also do not plan to do this as other tools are more optimize to do this like reverse proxies. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Prerequisites
Vaultwarden Support String
N/A
Vaultwarden Build Version
v1.34.0
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
traefik 3.4.4
Host/Server Operating System
Linux
Operating System Version
No response
Clients
Web Vault
Client Version
No response
Steps To Reproduce
Expected Result
Actual Result
Logs
Screenshots or Videos
No response
Additional Context
Thank you for the wonderful project.
A small suggestion that exists with the default Vaultwarden Docker container is that it expects HTTPs traffic over port 80 when port 80 is defined by IANA as a HTTP port only and the correct port for HTTPs is 443 (RFC6335 / RFC9110).
One would think this is not a problem, right? The port in this case is just a TCP socket on the lower levels but this problem manages to throw the Traefik reverse-proxy off and the container must be labeled such that Traefik accepts to start TLS/SSL over port 80 or through the custom exposed port.
It would be standards-compliant for Vaultwarden to start its HTTPs listener on port 443, even internal to the Docker container because reverse-proxies like Traefik hook into the internal network, or to pick any non-reserved port for SSL traffic. Some other software behaves the same; Firefox is also thrown off if a server responds with a TLS/SSL session request over 80, it does not even proceed, it just throws an error at the user claiming that a website tried to initiate HTTPs over HTTP.
I am just mentioning this because it's not a difficult issue to debug, but due to the non-standards-compliant behavior some clients might be thrown off by default depending on how seriously they take the port assignment definitions.
Beta Was this translation helpful? Give feedback.
All reactions