Front on-premise installation with Nginx Proxy Manager + Cloudflare Tunnel

Hello Bitwarden community, thanks for any help already! Sorry for formatting & typo since I’m new to the forum. Love Bitwarden and have been using it for a long time :heart:
As title says, I’m trying to front my on-premise installation with a Nginx Proxy Manager with Cloudflare Argo Tunnel. All containers are managed from Portainer for making managements easier with UI. General summary of what I’ve done so far:

  • I’ve a valid domain name purchased and pointed to Cloudflare Tunnel,
  • I opened port 80 and port 443 for Nginx Proxy Manager,
  • I remapped ports from bwdata/config.yml file that bitwarden/nginx container is using because initial setup of Nginx Proxy Manager already uses port 80 and port 443, and you’re getting “port already binded by container X” after executing “./ rebuild” and “./ start”
  • Changed bitwarden containers’ default internal networks and added them to Nginx Proxy Manager’s network. This is done by adding “docker-compose.override.yml” file to the same directory where “docker-compose.yml” file is.
  • Routed Cloudflare Tunnel’s ingress to Nginx Proxy Manager, then added initial domain name that I want to use Bitwarden for as proxy host with forward hostname of Bitwarden docker container name and address “http://myserveripaddress:remappedport”.

To sum up, general traffic is like this:

Cloudflare Tunnel → Nginx Proxy Manager → Server

When I just open Nginx Proxy Manager or Portainer to the public, this flow just works without any problem. But when it comes to front Bitwarden installation with this flow and I visit to initial domain, Cloudflare throwing 502 error everytime. When I check Bitwarden container logs such as bitwarden-web or bitwarden-api, I’m getting these messages:

2023-03-28T19:58:23.893786909Z info: Microsoft.Hosting.Lifetime[14]
2023-03-28T19:58:23.893957949Z Now listening on: http://[::]:5000
2023-03-28T19:58:23.922447961Z info: Microsoft.Hosting.Lifetime[0]
2023-03-28T19:58:23.922490014Z Application started. Press Ctrl+C to shut down.
2023-03-28T19:58:23.952497370Z info: Microsoft.Hosting.Lifetime[0]
2023-03-28T19:58:23.952563115Z Hosting environment: Production
2023-03-28T19:58:23.963643580Z info: Microsoft.Hosting.Lifetime[0]
2023-03-28T19:58:23.963734845Z Content root path: /app

2023-03-28T20:40:24.121965470Z info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
2023-03-28T20:40:24.122025087Z Request starting HTTP/1.1 GET http://localhost:5000/ - -
2023-03-28T20:40:24.123944175Z info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
2023-03-28T20:40:24.123991968Z Sending file. Request path: ‘/index.html’. Physical
2023-03-28T20:40:24.124137854Z info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
2023-03-28T20:40:24.124151846Z Request finished HTTP/1.1 GET ********* - - - 200 1238 text/html 1.3029ms
2023-03-28T20:40:54.235679196Z info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
2023-03-28T20:40:54.235733813Z Request starting HTTP/1.1 GET ********** - -
2023-03-28T20:40:54.235944328Z info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
2023-03-28T20:40:54.235964671Z Sending file. Request path: ‘/index.html’. Physical path: ‘/app/index.html’
2023-03-28T20:40:54.236706893Z info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
2023-03-28T20:40:54.236724637Z Request finished HTTP/1.1 GET ********** - - - 200 1238 text/html 0.4512ms

When I check docker containers’ status with “docker ps -a” I see all containers running with “healthy” status.

  • What am I missing on this setup route?
  • Is this kind of setup possible?
  • Did anyone try to do this kind of setup?

Any help is appreciated.

Can you clarify whether you’re saying that when you remove Cloudflare from the picture that BW works (still behind Nginx) or are you just saying that when you remove Cloudflare that your topology works for some of your other (non-BW) services you’re hosting in-house?

Hi jtr, first of all thanks for your reply.
I meant opening both Nginx Proxy Manager and Portainer to the public with the traffic I described. I didn’t try removing Cloudflare from the picture. I was trying to add multiple services with subdomains on a single Cloudflare tunnel, then tunnel’s traffic is directed to the Nginx Proxy Manager before the server. Whether it sounds like one of Cloudflare or Nginx Proxy Manager is unnecessary, I like both of their feature availability (such as NPM’s access list feature and Cloudflare’s Zero Trust dashboard).
I hope this explanation clarifies what I’m trying to achieve, thanks for any help.