Bitwarden behind Nginx reverse-proxy

astak13 · February 9, 2026, 10:27am

Hi,

I’m running a self-hosted instance of Bitwarden behind an Nginx reverse-proxy. I’ve read this article and it didn’t help me solve the issue; I’ve tried multiple changes to the configuration but none of them make the connection to Bitwarden work.
I have Nginx reverse-proxy set up to redirect traffic based on the host name in the request header. Below is a working sample of configuration that works and redirects traffic to a Vault instance on port 8200:

# ===============================================
# Vault configuration
# ===============================================

upstream vault_backend {
    ip_hash;

        server <SERVER_1>:8200 max_fails=1 fail_timeout=2s;
        server <SERVER_2>:8200 max_fails=1 fail_timeout=2s;
        server <SERVER_3>:8200 max_fails=1 fail_timeout=2s;
    
    keepalive 32;
}

# redirect http to https
server {
    listen 8080;
    server_name vault.example.com;
    return 301 https://$host:8443$request_uri;
}

# reverse proxy to vault backend
server {
    listen 8443 ssl http2;
    server_name vault.example.com;

    ssl_certificate     /etc/nginx/security/<CERTIFICATE>.pem;
    ssl_certificate_key /etc/nginx/security/<CERTIFICATE_KEY>.key;

    proxy_buffering off;
    proxy_request_buffering off;

    location / {
    proxy_pass https://vault_backend;

    proxy_http_version 1.1;
    proxy_set_header Connection "";

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_buffering off;
    proxy_request_buffering off;

    proxy_next_upstream error timeout http_429 http_500 http_502 http_503;
    proxy_next_upstream_tries 3;

    proxy_read_timeout 300s;

    proxy_ssl_verify off;
    proxy_ssl_server_name on;
    }


    location = /health {
        access_log off;
        return 200 "OK\n";
    }
}

So, in theory, if I copy the exact same config from above, change the domain name from and port 8200 to 443, it should work.
I know that there are conflicts coming from the fact that Bitwarden has it’s own Nginx running in one of the containers, but I’d like to work around this situation.

Any help & ideas are welcome!

Thanks!

astak13 · February 10, 2026, 8:26am

Hi,
I get a “504 Gateway Time-out“. Currently I’m using port 8443. I’ve used all ports of the bitwarden-nginx container (80, 8080,443,8443). The behavior is the same.

Alphanaut · February 11, 2026, 5:00pm

I run the same config but instead of that redirect http to https I just have https under the ‘scheme’ in the proxy host gui config of NPM. Also are these docker containers (NPM and BW?)

astak13 · February 11, 2026, 7:26pm

The redirect is there in case of any requests coming on http.

Nginx reverse-proxy is not a docker container. Bitwarden is deployed in containers using docker compose.

Alphanaut · February 12, 2026, 6:00pm

Dang that’s frustrating. Have you tried mapping the 8443 to a different port in the container. I know a lot of things use 8443, perhaps a conflict? Also is the container running somewhere with a firewall? Mine is on a NAS and I have to specifically open these ports one by one to make it work.

astak13 · February 12, 2026, 7:40pm

The hosts(3x) on which I’m running Nginx reverse-proxy, Hashicorpt Vault and Bitwarden(as Docker containers), listen on ports 8080(http) and 8443(https) via Nginx reverse-proxy which redirects traffic based on the host name in the request header.

In the case of Hashicorp Vault it redirects to port 8200(which works!).

In the case of Bitwarden it should redirect traffic to either port 80 or 443(which belong to the host and are mapped to ports 8080 and 8443 of the bitwarden-nginx docker container). This doesn’t work! As I’ve understood it could be related to TLS handshake ending on Nginx reverse-proxy and not on the Bitwarden Nginx container…

Alphanaut · February 12, 2026, 8:05pm

Hrm, I’m not going to be much help as I’m confused by your post. It appears your proxy listens on 8443, redirects to 443, which is then mapped to 8443. I must be reading that wrong. My NPM listens on 443, and depending on hostname redirects to the Bitwarden container on 8443, or some other service on another port. Perhaps that’s what you are doing as well, just not sure why your NPM is redirecting to 443 in there. Why not just go straight from NPM on 443 to Bitwarden on 8443?