I'm trying to host a vaultwarden instance through docker and failing miserably. This isn't my first attempt either but I've got much further than before.
I'm using a DuckDNS domain with caddy as reverse proxy, but it appears that the domain is defaulting to port 80 no matter how I set up the config. I can't specify a port number in DuckDNS as far as I can tell. If the simple solution is to just buy a domain name I will consider it. Otherwise could really use some help in sorting out why it's not connecting.
I can't access Vaultwarden on the internal IP as it's not being served as SSL but both Vaultwarden and Caddy are running with no errors in logs. I've left out a bunch of admin env variables for the Vaultwarden service to truncate the code.
docker-compose:
`[___](services:
vaultwarden:
container_name: vaultwarden
image: vaultwarden/server:latest
restart: unless-stopped
ports:
- 11808:80
- 11443:443
volumes:
- ./data/:/data/
environment:
- ROCKET_PORT=11444
caddy:
image: caddy:2
container_name: caddy2
restart: always
ports:
- 1808:11808
- 1443:11443
volumes:
- ./caddy:/usr/bin/caddy
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment:
DOMAIN: "https://example.duckdns.org"
EMAIL: "example@domain.com"
DUCKDNS_TOKEN: "token"
LOG_FILE: "/data/access.log")`
Caddyfile:
' {$DOMAIN}:1443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
tls {
dns duckdns {$DUCKDNS_TOKEN}
}
encode gzip
Notifications redirected to the WebSocket server
reverse_proxy /notifications/hub vaultwarden:3012
Proxy everything else to Rocket
reverse_proxy vaultwarden:11444
}`
Any idea where I'm going wrong?
I should have said in the main text, I have something else on port 80 and I though best practice was not to expose 80 or 443?
Map host port 8080 to container port 80. 8443 to 443.
You can configure caddy to use 80 and be a reverse proxy for both the services, serving one site or the other depending on the name (you will need a second DNS entry pointing to the same IP). about not exposing 443, I really doubt that caddy can automatically retrieve SSL certificates for you if not running on the default port. Check the documentation, if I'm right either you open an empty website on 443 just for the sake of getting SSL certs to run https, and manually configure the other port to do the same, or you get the certificates manually using the DNS verification (check let's encrypt documentation) and configure caddy to use them.
If you don't want to expose port 80 or 443, then just change the ports they are running on. Right now you're mapping 80/443 in docker, so just change those numbers to something else if you don't want to use them. The number on the right is the internal service port, and the left of the colon is the port you're opening to proxy to the port on the left. Adding Caddy does exactly the same thing and serves no purpose except another layer of obfuscation you don't need.