Best setup for running Bitwarden behind HAProxy

fsociety3765 · July 1, 2021, 3:23pm

Hi all,

Looking for some assistance getting set up with Bitwarden. I have a working installation on Ubuntu server. This is the full Bitwarden installation, not the RS one.

The server is not directly exposed to the internet so during the initial setup I opted to generate a self-signed cert to get up and running.

I am now trying to get HAProxy working in front of it to 1) reverse proxy from the internet using SSL from Let’s Encrypt and 2) access Bitwarden internally with HAProxy providing the SSL termination so I don’t get SSL errors etc. My installation of HAProxy is running certbot and holds my wildcard SSL certs and is the only machine listening on 80, and 433 on the internet.

To put it bluntly, I am failing miserably. There are quite a few pieces to the puzzle to make this work properly.

I do have an internal domain controller running DNS on Windows Server 2019, with the domain internal.domain.com. So anything inside the network can be accessed via service.internal.domain.com etc. Then outside the network, I use Cloudflare for my DNS and have some regular CNAME entries set up for service.domain.com etc.

I am not expecting help with the DNS or HAProxy aspect, although if anyone has any advice they can offer that would be appreciated. I would however just like some advice on the best setup for Bitwarden to work properly for SSL both internally and externally in my environment. What are the best config settings to use in the config.yml etc.

Any advice would be greatly appreciated.

Thanks,

FS

vinfradude · July 1, 2021, 8:45pm

my view would be run the HA proxy for internal and external so that your entire SSL termination is handled by your HAProxy

It doesn’t appear you are doing Split DNS which means you will have to keep changing your Login URI each time you are inside or outside your network unless you always want to use your external URI regardless of where you are accessing the vault from.

fsociety3765 · July 1, 2021, 9:03pm

No there is no split-brain DNS. I did have a split setup but it was causing me some issues trying to get things working. So I have separated it now.

Ideally what you have suggested is exactly what I want to do. Use HAProxy for the entire SSL termination. Internal and external.

In terms of Bitwarden, what would my SSL/URL config have to look like to achieve this?

And this is a total guess but for the internal SSL terminal to work, would I have to have my internal DNS records pointing to HAProxy instead of the server directly. I’m guessing that’s how the internal SSL termination would work.

vinfradude · July 1, 2021, 10:12pm

no not really…
everything in your extensions and app and general access would point to

service.domain.com

you would only access in the internal site for the /admin URI
service.internal.domain.com/admin

internal URI could also be used for accessing the web interface when in the internal network and you can ignore the SSL cert warning.