I have my bitwarden setup on a ubuntu server. I have currently setup Let’s encrypt for SSL certificates.
I recently setup a reverse proxy which can handle all the SSL certificates.So, instead of installing bitwarden without the certificate setup and again restoring all the databases, is there any way to convert the existing installation with SSL support into an installation with no SSL certificate setup at all?
I’ve very recently done the same thing and found it works really well. I believe from memory, that you need to edit ./bwdata/config.yml, setting the ssl: option to false. I’m not sure if you also need to set ssl_managed_lets_encrypt: false (I would assume that ssl: false probably has the highest priority), but it won’t do any harm. You can also clear out the ssl_*_path: settings and ssl_diffie_hellman_path: setting. Once you’re happy with the settings, just run ./bitwarden.sh rebuild. That should reconfigure the docker containers to work without ssl. Then restart the Docker containers with ./bitwarden.sh start.
The above is from memory, (so hoping it’s accurate), as I subsequently installed self-signed certificates and I am proxy_pass'ing on my network from the reverse proxy to Bitwarden using https. It’s probably a bit of an overkill, as my reverse proxy handles the incoming https, but it won’t do any harm and works flawlessly.
I also installed Nextcloud on the same PC as Bitwarden. Each have different https domain names (bw.mydomain.net and nc.mydomain.net) on the internet side and they each get proxy_pass'ed on different ports to the correct Bitwarden/Nextcloud service. It now means I only have one Lets Encrypt certificate to renew on my reverse proxy server, instead of having to juggle with port forwarding on my router to renew the separate Bitwarden and Nextcloud Lets Encrypt certs.
Hope this helps you, but feel free to ask any questions, and I’ll try to help out.
Yeah I did these 2 steps exactly. Forgot to close this issue on the forum.
Thanks anyways for your help! Much appreciated!
Is this still the correct way?
By doing so I get an “503 Service Unavailable” error, when I try to open the bitwarden site in my browser.
I am using the exact same installation instance (with latest updates) to date and it is working perfectly fine.
It still shows the Let’s Encrypt entries
And I get this error
503 Service Unavailable
No server is available to handle this request.
Following is my current yml file.
Replace your instance FQDN with your URL.
Replace your real_ips with your reverseproxy IP.
YML File:
Note: After making changes to this file you need to run the rebuild or update
command for them to be applied.
Full URL for accessing the installation from a browser. (Required)
url: http://BITWARDENSUBDOMAIN
Auto-generate the ./docker/docker-compose.yml config file.
WARNING: Disabling generated config files can break future updates. You will be
responsible for maintaining this config file.
Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
generate_compose_config: true
Auto-generate the ./nginx/default.conf file.
WARNING: Disabling generated config files can break future updates. You will be
responsible for maintaining this config file.
Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
generate_nginx_config: true
Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
Learn more: Overview | Docker Docs
http_port: 80
Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
Learn more: Overview | Docker Docs
https_port: 443
Docker compose file version. Leave empty for default.
Learn more: Compose file versions and upgrading | Docker Docs
compose_version:
Configure Nginx for Captcha.
captcha: false
Configure Nginx for SSL.
ssl: false
SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions:
SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites:
Installation uses a managed Let’s Encrypt certificate.
ssl_managed_lets_encrypt: false
The actual certificate. (Required if using SSL without managed Let’s Encrypt)
Note: Path uses the container’s ssl directory. The ./ssl host directory is mapped to
/etc/ssl within the container.
ssl_certificate_path:
The certificate’s private key. (Required if using SSL without managed Let’s Encrypt)
Note: Path uses the container’s ssl directory. The ./ssl host directory is mapped to
/etc/ssl within the container.
ssl_key_path:
If the certificate is trusted by a CA, you should provide the CA’s certificate.
Note: Path uses the container’s ssl directory. The ./ssl host directory is mapped to
/etc/ssl within the container.
ssl_ca_path:
Diffie Hellman ephemeral parameters
Learn more: tls - What's the purpose of DH Parameters? - Information Security Stack Exchange
Note: Path uses the container’s ssl directory. The ./ssl host directory is mapped to
/etc/ssl within the container.
ssl_diffie_hellman_path:
Nginx Header Content-Security-Policy parameter
WARNING: Reconfiguring this parameter may break features. By changing this parameter
you become responsible for maintaining this value.
nginx_header_content_security_policy:
Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile
app live sync.
push_notifications: true
Use a docker volume (mssql_data) instead of a host-mapped volume for the persisted database.
WARNING: Changing this value will cause you to lose access to the existing persisted database.
Learn more: Volumes | Docker Docs
database_docker_volume: false
Defines “real” IPs in nginx.conf. Useful for defining proxy servers that forward the
client IP address.
Learn more: Module ngx_http_realip_module
Defined as a dictionary, e.g.:
real_ips: [‘10.10.0.0/24’, ‘172.16.0.0/16’]
real_ips:
- YOURREVERSEPROXYIP
Enable Key Connector (Deploy Key Connector | Bitwarden Help Center)
enable_key_connector: false
Enable SCIM
enable_scim: false
Just to confirm, you are not using the Unified version (Install and Deploy - Unified (Beta) | Bitwarden Help Center) correct?
Because this is the version I am using: Install and Deploy - Linux | Bitwarden Help Center
No, I don’t use the new Unified system as it is still beta.
The real_ips was empty in my file. When I add the IP of my reverse proxy (OPNsense Firewall) the I got this messages while rebuilding:
I have now completely reinstalled Bitwarden with a self signed certificate. Everything is ok now!
Thanks for your help and your time!
1 Like
No worries. But please note ypu need to add the real Ip because if not, all logs which your Bitwarden server logs including login and login attempts will be of the reverse proxy IP and not the actual public IP of the user.
Not an expert in this, but I think you need to add the IP with correct formatting.
Following are few examples:
Essentially ip address followed by the subnet.
This is my configuration
Ah there is a syntax error is this.
Use the exact syntax. I’ve shared a link earlier to another post which has the syntax. (New line, hyphen, space, etc). Also, just the IP is fine. Following is my config :
1 Like
Are you using Cloudflare or any such service? Which reverseproxy are you using? You need to add appropriate headers in that so that it will forward the real IP to bitwarden.