Hi
I currently have my vaultwarden docker container exposed to the web via cloudflare tunnel and traefik reverse proxy but wish to make it only run locally (and on tailscale VPN). Vaultwarden needs HTTPS to work, how can I set up traefik to handle this? Initially I tried just accessing mt vault through the bitwarden android app using the internal IP and it seems to connect but when it fails to load the Webauthn page for 2FA so i imagine there's still some kind of HTTPS issue happening
First you need to understand that TLS certs are usually linked to domain names. So you need to use a (sub-)domain name, which resolves to your internal IP, either with an internal or external DNS.
There are multiple options for internal TLS certs:
- Use (sub-)domain and create cert with LetsEncrypt
dnsChallenge
, which does not require the site to be available externally. - Buy a TLS cert for the internal (sub-)domain.
- Create a private TLS cert, which needs to be manually imported on all devices and server.
Thanks for your comprehensive reply. I went for option 1 and set up DNS challenges with cloudflare as a provider. My next question is how can do I now make https://vaultwarden.mydomain.com resolve to the vaultwarden container locally? When I want external access, I've added a CNAME record on cloudflare but I imagine this isn't necessary for local access. My internal DNS is adguard home + unbound so I tried adding a host override to make vaultwarden.mydomain.com point to traefik but it only lets me add an IP address (no port specification allowed) so I can only point it to me unraid server login page rather than the traefik instance which runs on a specific port of my unraid server. Hopefully my question makes sense