I’m pretty new in this space, and have been tinkering around with some self-hosting for the last month or so, via Docker on an Ubuntu host. I’m pretty comfortable with Linux, but trying to learn reverse-proxy stuff. So, I thought my next project would be Vaultwarden, but I want to be able to access it from outside the network, and I need SSL working. I have gotten other dockers to be accessible from outside (http://bookstack.oaf.monster) using nginx manager, but the two I’ve tried with SSL (vik.oaf.monster and vault.oaf.monster) give me 502 Bad Gateway errors. So I know I’m configuring something incorrectly. Been trying to fix this as I’ve had time for the last week, and finally deciding I need to reach out for help! Any notes/tips/ideas are appreciated.
First and foremost, here’s what I see in the error log for nginx:
2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET / HTTP/2.0", upstream: "https://10.23.0.220:8006/", host: "vault.oaf.monster"
2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.23.0.220:8006/favicon.ico", host: "vault.oaf.monster", referrer: "https://vault.oaf.monster/"
I see it says wrong version number, but admittedly I have no idea what to do with that. Not experienced enough in SSL.
My NGINX config file for vaultwarden (I know how to use cat, but I don’t know how to manually edit this file if I need to… no vi on the docker!):
[root@docker-bf5d51784409:/data/nginx/proxy_host]# cat 7.conf
# ------------------------------------------------------------
# vault.oaf.monster
# ------------------------------------------------------------
server {
set $forward_scheme https;
set $server "10.23.0.220";
set $port 8006;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vault.oaf.monster;
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;
# Force SSL
include conf.d/include/force-ssl.conf;
access_log /data/logs/proxy-host-7_access.log proxy;
error_log /data/logs/proxy-host-7_error.log warn;
location / {
# Proxy!
include conf.d/include/proxy.conf;
}
# Custom
include /data/nginx/custom/server_proxy[.]conf;
}
This is my docker-compose for vaultwarden, in case it’s relevant:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
DOMAIN: "https://vault.oaf.monster" # Your domain; vaultwarden needs to know it's https to work properly with attachments
volumes:
- ./vw-data:/data
ports:
- 8006:80
And lastly, I took a few screenshots and put them here… might be useful. https://imgur.com/a/JRH9jXi
What am I doing wrong? I’m open to the idea that it might be multiple things. Thanks in advance!
I haven’t got time to take a decent look at this right now, but will try to make time later today. But I had nightmares getting Nginx Proxy Manager to behave reliably on my unraid box - with Vaultwarden (among other things) as well coincidentally. And subsequently I ended up switching to CaddyV2 as it ended up being easier to get running and has (touch wood) so far been more stable.
I’ve been considering giving caddy a try. Maybe that’s on the docket for tomorrow!