Of course:
LXC with IP 192.168.49 is my nginx proxy manager (bare metal).
this rule is working fine for basic login and all apps and devices to my Bitwarden (2nd LXC with IP 192.168.1.32)
Installation of Bitwarden according to the Bitwarden manual with settings
globalSettings__baseServiceUri__vault=https://192.168.1.32
globalSettings__baseServiceUri__cloudRegion=EU
globalSettings__sqlServer__connectionString="Data Source=tcp:mssql,1433;Initial Catalog=bwvaultnd;Persist Security Info=False;User ID=sa;Password=vf3Aa5FEKayDVJYYcWa1y2y083Hjm4RN;Multiple Active Result Sets=False;Connect Timeout=30;Encrypt=True;Trust Server Certificate=True"
globalSettings__identityServer__certificatePassword=Hh08ZrsPIAdV3TBJESkZY7Wkn7Lyd4A3
globalSettings__internalIdentityKey=Qm7MfAzRRPLNx9zy32DWqSBWpmz9pN7mFIsdZxvGnCHAahLxffAnVv0GsBJF4eXl
globalSettings__oidcIdentityClientKey=5F1lV8cWJlEjDycYZ5K1MROa5YQxjlYXkTXTBklnPIReUT6vBHB6rjYjUgXY7j4Y
globalSettings__duo__aKey=6Dlim8pq7zBR9aDOg9KcpT2kUUDFoI2fChQeqhSCP2c5roXeS3QG6Zcj8k7LiY79
globalSettings__installation__id=xxx
globalSettings__installation__key=xxx
globalSettings__yubico__clientId=REPLACE
globalSettings__yubico__key=REPLACE
globalSettings__mail__replyToEmail=xxx
globalSettings__mail__smtp__host=xxx
globalSettings__mail__smtp__port=465
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=xxx
globalSettings__mail__smtp__password=xxx
globalSettings__disableUserRegistration=false
globalSettings__hibpApiKey=REPLACE
adminSettings__admins=xxx
short: self-signed certificate
Connection internal is not safe (of course), connection from domain bw.xxx.online is working with Let’s Encrypt (but I tried a lot scenarios and none are working, see also Critical bug in 2025.1.3 / 2025.1.1 self-hosted server versions with 2FA? - #6 by EinKantHolz)
config.yml:
#
# Note: After making changes to this file you need to run the `rebuild` or `update`
# command for them to be applied.
#
# Full URL for accessing the installation from a browser. (Required)
url: https://192.168.1.32
#
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
generate_compose_config: true
#
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
generate_nginx_config: true
#
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 80
#
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 443
#
# Configure Nginx for Captcha.
captcha: false
#
# Configure Nginx for SSL.
ssl: true
#
# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions:
#
# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites:
#
# Installation uses a managed Let's Encrypt certificate.
ssl_managed_lets_encrypt: false
#
# The actual certificate. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_certificate_path: /etc/ssl/self/192.168.1.32/certificate.crt
#
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_key_path: /etc/ssl/self/192.168.1.32/private.key
#
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_ca_path:
#
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_diffie_hellman_path:
#
# Nginx Header Content-Security-Policy parameter
# WARNING: Reconfiguring this parameter may break features. By changing this parameter
# you become responsible for maintaining this value.
nginx_header_content_security_policy:
#
# Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile
# app live sync.
push_notifications: true
#
# Use a docker volume (`mssql_data`) instead of a host-mapped volume for the persisted database.
# WARNING: Changing this value will cause you to lose access to the existing persisted database.
# Learn more: https://docs.docker.com/storage/volumes/
database_docker_volume: false
#
# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forward the
# client IP address.
# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
#
# Defined as a dictionary, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips:
#
# Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)
enable_key_connector: false
#
# Enable SCIM
enable_scim: false
Activating 2FA results in an general error message while connection via domain bw.xxx.online but works fine with internal IP 192.168.1.32.
routing directly from router to Bitwarden also works fine. Only nginx produces the general error message because the window is not loading the site where one can enter the 2FA key. I submit my mail, my passwort and error. While internal trying, after the password there comes the field fore the 2FA-key (mail or TOTP, it doesn’t matter, same behavior).
So its something with nginx Proxy Manager but unfortunately I can’t find some documentation here in the community or in the web concerning this issue. And after several days, several freshly installed Bitwarden instances and a lot of trying and googling, I have no idea what I must add. It’s the Proxy, yes, but why? only god knows?