Nginx setup for server already use port 80 and 443

I have plan to install bitwardenrs on my server, which already use port 80 and 443 for my website.
The link should be like this: https://bitwarden.example.tld/

Since I am newbie with docker, I don’t know what to do when I read the nginx proxy example on wiki page.

Could anyone help me to setup? Thank you very much.

There are several ways to go, personally I’d just create a new subdomain dedicated to bitwarden (which appears to be what you want with https://bitwarden.example.tld/) then you can tell nginx to serve bitwarden when you access the website through this URL.

Roughly speaking I start my container like so:

docker run -d --name bitwarden -e WEBSOCKET_ENABLED=true -v /path/to/bitwarden/data:/data/ -p 127.0.0.1:1234:80 -p 127.0.0.1:3012:3012 bitwardenrs/server:latest

Note the -p 127.0.0.1:1234:80 that rebinds the bitwarden’s 80 port to port 1234 in the host machine, and makes sure it only binds localhost so that it can’t be reached from the outside. That assumes of course that nginx will be running on the same machine.

Then you can configure your nginx as explained here, taking care to replace the proxy_pass statements to use port 1234 instead of 80, and <SERVER> should be 127.0.0.1: Proxy examples · dani-garcia/bitwarden_rs Wiki · GitHub (the “Nginx (by shauder)” one should do the trick).

Make sure to only allow HTTPS connections to the bitwarden instance. You can redirect HTTP to HTTPS with something like:

    server {
        server_name bitwarden.example.tld;
        return 301 https://bitwarden.example.tld$request_uri;
    }

I hope that helps.

1 Like

Thank you. I can setup my server now.
The following is my configuration.

  • The command I use for start bitwarden
    sudo docker run -d --name bitwarden -v /bw-data/:/data/ -p 3080:80 bitwardenrs/server:latest

  • The nginx.conf I use for proxy

server {
  if ($host = www.bitwarden.example.tld) {
    return 301 https://$host$request_uri;
  } # managed by Certbot
  if ($host = bitwarden.example.tld) {
    return 301 https://$host$request_uri;
  } # managed by Certbot
  listen       80 ;
  listen       [::]:80 ;
  server_name bitwarden.example.tld www.bitwarden.example.tld;
  return 301 https://bitwarden.example.tld$request_uri;
}
server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name www.bitwarden.example.tld;
    ssl_certificate /etc/letsencrypt/live/bitwarden.example.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bitwarden.example.tld/privkey.pem; # managed by Certbot
  return 301 $scheme://bitwarden.example.tld$request_uri;
}
server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  access_log /var/log/nginx/imblien.com.access.log;
  error_log /var/log/nginx/imblien.com.error.log;
  
  server_name bitwarden.example.tld;
  
  location / {
    proxy_pass http://127.0.0.1:3080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:3080;
  }
    ssl_certificate /etc/letsencrypt/live/bitwarden.example.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bitwarden.example.tld/privkey.pem; # managed by Certbot
}

Be careful, you haven’t set 127.0.0.1 in your -p specification when starting the docker image, which I think means that the port will be reachable from the outside directly without going through nginx, unless I misunderstand the way containers bind their ports (very possible) or if you have a firewall running.

1 Like