I thought that Vaultwarden install was going to be a little simpler but after having consulted a few guides here and there its maybe less straightforward than I thought.
My use-case is to use it on may internal LAN only with not access from outside whatsoever. In theory, http should be fine, but as this tool will contain quite a bit of sensitive data, I can see why it may be a good idea to go https. Are most of you internal users only setting up https?
My network is behind a pfSense setup that uses unbound to resolve all DNS. Locally, all my DNS requests are being forwarded on the subnet I will have Vaultwarden installed.
- First question is whether for internal network use only, I need to go https.
- Second question is whether I need to follow this guide?
You must log in or register to comment.
I run vaultwarden local only and use https, mostly because vaultwarden doesn’t allow itself to be run over http. The way I did it was to get a domain (you can buy one if you want, I used duckdns for a free one) and when prompted for an IP to point it to, use your server’s internal IP instead your public IP. Other than that you should be able to follow all the guides as normal
Never run something like Vaultwarden with unencrypted traffic. Throwing in a self signed cert is basically free insurance. You never know when even in your “trusted network” something starts listening in. Just why risk it?
You could go HTTP only if your happy that anything on the network could see your traffic, I don’t trust anything on my networks so HTTPS everything.
Depending on if you have a proxy in front of vaultwarden will depend on what you need setup, I have nginx and traefik in front of my instance.
I don’t have any proxy.
FWIW, here’s my compose file. I 100% use https for everything internal. With LetsEncrypt and Pihole, why wouldn’t you? It’s dead-simple.
networks: backend: external: True services: vaultwarden: container_name: vw-svr-00 image: vaultwarden/server environment: - TZ=My/Timezone - DOMAIN=https://my.internal.domain/ # ports: # - "82:80" volumes: - ./vw_data:/data networks: - backend restart: always labels: - "traefik.enable=true" - "traefik.http.routers.vaultwarden.rule=Host(`my.internal.domain`)” - "traefik.http.routers.vaultwarden.entrypoints=websecure" - "traefik.http.routers.vaultwarden.tls=true" - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"edit: I also run my instance on a subdomain vs a path. So my instances is actually at
vw.internal.domain.Iirc vaultwarden itself won’t load if you don’t run https.
I think when I set up vault warden with the docker compose it had scripts to generate it’s own self-signed certificate. So it was already set up to use https.
I have a CA I created with easyrsa so I went and found the csr from vault warden and signed it with my own CA, so I didn’t have to juggle two certs.
But otherwise yeah, running it on my local LAN, no let’s encrypt.
