I'm using the vaultwarden docker container, which basically requires a reverse proxy to provide SSL.
The container runs a separate web server for Websockets, because Rust's rocket doesn't support web sockets on the same port.
The instructions for VaultWarden say:
- Route the /notifications/hub endpoint to the WebSocket server, by default at port 3012, making sure to pass the Connection and Upgrade headers
- Route everything else, including /notifications/hub/negotiate, to the standard Rocket server, by default at port 80
How would I configure my nginx reverse proxy to support this setup?
My config looks like this:
docker-compose.yml
version: '3'
services:
vaultwarden:
image: vaultwarden/server:1.25.2
volumes:
- /srv/vaultwarden/vaultwarden:/data/
restart: always
environment:
- WEBSOCKET_ENABLED=true
nginx:
image: nginx:1.23.1
volumes:
- /srv/vaultwarden/nginx/templates:/etc/nginx/templates
- /srv/vaultwarden/nginx/ssl:/etc/nginx/ssl
ports:
- "443:443"
environment:
- NGINX_PORT=443
nginx:
server {
listen ${NGINX_PORT} ssl http2 default;
server_name _;
# SSL
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Web sockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://vaultwarden;
}
}
Should I be:
- Exposing port 3012 on the vaultwarden container directly?
- What would the nginx config look like for that?
- Exposing port 3012 on the nginx container, and proxy_passing it to the vaultwarden container?
- What would that look like?