Issue with accessing vaultwarden via caddy, both as docker containers on GCP VM

1. Output of caddy version:

2.6.2

2. How I run Caddy:

GCP Linux VM using Docker

a. System environment:

Debian 11

b. Command:

sudo mkdir /etc/caddy

sudo chmod go-rwx /etc/caddy

sudo docker run -d -p 80:80 -p 443:443 --name caddy -v /etc/Caddyfile:/etc/caddy/Caddyfile -v /etc/caddy:/root/.local/share/caddy -v caddy_data:/data --restart on-failure caddy:2

d. My complete Caddy config:

mydomainwhichisresolvingcorrectly.com {
encode gzip

reverse_proxy /notifications/hub/negotiate 0.0.0.0:8080
reverse_proxy /notifications/hub 0.0.0.0:3012
reverse_proxy 0.0.0.0:8080}
}

3. The problem I’m having:

Trying to use caddy with vaultwarden for HTTPS and getting 502 on browser

4. Error messages and/or full log output:

{"level":"error","ts":1673468600.1370056,"logger":"http.log.error","msg":"dial tcp 0.0.0.0:8080: connect: connection refused"

5. What I already tried:

Opened 8080 on firewall for GCP VM
Tried swapping 0.0.0.0 with localhost

6. Links to relevant resources:

How I started vaultwarden:

sudo docker run -d --name vaultwarden -v /srv/vaultwarden:/data -e WEBSOCKET_ENABLED=true -p 127.0.0.1:8080:80 -p 127.0.0.1:3012:3012 --restart on-failure vaultwarden/server:latest

Had to change the configuration of the Caddyfile to modify 0.0.0.0:3012 and 0.0.0.0:8080 to instead use the IP address of the Docker host interface (172.17.0.1) instead of 0.0.0.0 - what’s the reason why the caddy container cannot reach vaultwarden if using 0.0.0.0 instead of 172.17.0.1?

That’s not the right way to do it, because then vaultwarden is still directly accessible by anyone who can make requests to that host machine, reaching vaultwarden on port 8080 without TLS.

Instead, you should put both containers in the same Docker network, and then use the container name as the upstream address, i.e. vaultwarden:80 and vaultwarden:3012. And you don’t need to publish the ports of the vaultwarden container to the host (i.e. remove the -p arguments on your vaultwarden container).

That way, it’s only accessible through Caddy, which protects the connections over TLS.

This is much easier to do if you use Docker Compose instead of directly using docker commands, since you can declaratively write how Docker should work, plus you get some nice things built-in like Compose setting up a network for all services in the same project.

Here’s a starting point:

Add in your vaultwarden service to that, and it should work.

Thank you Francis. I have tore everything down and rebuilt it using docker-compose and the vaultwarden container name vs. docker host interface IP.

1 Like