4
submitted 1 year ago by plasticus@beehaw.org to c/selfhost@lemmy.ml

I'm pretty new in this space, and have been tinkering around with some self-hosting for the last month or so, via Docker on an Ubuntu host. I'm pretty comfortable with Linux, but trying to learn reverse-proxy stuff. So, I thought my next project would be Vaultwarden, but I want to be able to access it from outside the network, and I need SSL working. I have gotten other dockers to be accessible from outside (http://bookstack.oaf.monster) using nginx manager, but the two I've tried with SSL (vik.oaf.monster and vault.oaf.monster) give me 502 Bad Gateway errors. So I know I'm configuring something incorrectly. Been trying to fix this as I've had time for the last week, and finally deciding I need to reach out for help! Any notes/tips/ideas are appreciated.

First and foremost, here's what I see in the error log for nginx:

2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET / HTTP/2.0", upstream: "https://10.23.0.220:8006/", host: "vault.oaf.monster"
2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.23.0.220:8006/favicon.ico", host: "vault.oaf.monster", referrer: "https://vault.oaf.monster/"

I see it says wrong version number, but admittedly I have no idea what to do with that. Not experienced enough in SSL.

My NGINX config file for vaultwarden (I know how to use cat, but I don't know how to manually edit this file if I need to... no vi on the docker!):

[root@docker-bf5d51784409:/data/nginx/proxy_host]# cat 7.conf
# ------------------------------------------------------------
# vault.oaf.monster
# ------------------------------------------------------------

server {
  set $forward_scheme https;
  set $server         "10.23.0.220";
  set $port           8006;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name vault.oaf.monster;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  access_log /data/logs/proxy-host-7_access.log proxy;
  error_log /data/logs/proxy-host-7_error.log warn;

  location / {
    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

This is my docker-compose for vaultwarden, in case it's relevant:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.oaf.monster"  # Your domain; vaultwarden needs to know it's https to work properly with attachments
    volumes:
      - ./vw-data:/data
    ports:
      - 8006:80

And lastly, I took a few screenshots and put them here... might be useful. https://imgur.com/a/JRH9jXi

What am I doing wrong? I'm open to the idea that it might be multiple things. Thanks in advance!

you are viewing a single comment's thread
view the rest of the comments
[-] TagMeInSkipIGotThis@lemmy.nz 1 points 1 year ago

I haven't got time to take a decent look at this right now, but will try to make time later today. But I had nightmares getting Nginx Proxy Manager to behave reliably on my unraid box - with Vaultwarden (among other things) as well coincidentally. And subsequently I ended up switching to CaddyV2 as it ended up being easier to get running and has (touch wood) so far been more stable.

[-] plasticus@beehaw.org 1 points 1 year ago

I've been considering giving caddy a try. Maybe that's on the docket for tomorrow!

this post was submitted on 22 Aug 2023
4 points (100.0% liked)

Self Hosted - Self-hosting your services.

11419 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS