Vaultwarden Description not corect

[nodeam]

This is not correct:

Vaultwarden needs to be behind a proxy (Nginx Proxy Manager, Caddy, etc) to obtain HTTPS and to allow clients to connect. If you try to open the web page directly on the new container, the web site will not load

Rocket can off course use HTTPs. It uses crt/key, self-signed, root-ca signed or bought cert for your FQDN.

ROCKET_TLS='{certs="/etc/ssl/vaultwarden/pvaultwarden.foobar.lan.crt",key="/etc/ssl/vaultwarden/pvaultwarden.foobar.lan.key"}'
ROCKET_PORT=8000

What Vaultwarden can't do is to obtain AND manage let's encrypt certs. For that you need either a reverse proxy or Certbot.

Best practice IMHO would be to run Vaultwarden in LAN with ROCKET_TLS based on root-ca signed cert (ZeroTrust) and additionally use an Outer-Caddy-LXC to reverse and to obtain let's encrypt cert for Vaultwarden.

[MickLesk]

I have read the text, but I still have the question, what is wrong with the description? Why don't you just write a guide for the people who use it and then you can link to it?

[MickLesk]

1. if it's so negligent and bad, why don't you define it cleanly, No normal script user here understands that.

2. wouldn't the whole discussion have been unnecessary if you had simply made a small PR with the changes?

[tremor021]

also this:

[MickLesk]

@nodeam can you give Feedback for this PR? #4197

[nodeam]

@MickLesk

It ain't misleading anymore.

@ALL

Short explaination (simplified):

YAMLers do:
Caddy with Let's Encrypt--> localhost (e.g docker swarm)

Connection chain secured. That's OK
Problem: apps are not isolated.

Folks using Proxmox apparently do:
Caddy LXC with Let's Encrypt (so called Outer caddy) --> Vaultwarden LXC listening on http w/o SSL

App is firewalled thus isolated. That's OK
Problem: Connection chain insecure!

Secure way:
Outer Caddy LXC with LE and fail2ban --> Vaultwarden LXC with Inner Caddy or Rocket with your own root-ca cert --> Vaultwarden listening only on localhost or https.

App is firewalled thus isolated. That's OK
Connection chain secured. That's OK

I'd would even use keycloak lxc with TOTP and its own inner caddy in front of that app, but vaultwarden doesn't support OICD. I do it for Outline and for Immich, though.

BTW: I'd neither expose Rocket directly to the internet.

[tremor021]

yea, but all you just wrote is really not a issue that our script should deal with. We install the apps. How are you going to secure it is really not a problem for us, its for end user.
I feel lilke more and more users think that we should give them out-of-the-box solution with every app they install with our scripts, which is definitely not our goal.
We are just trying to automate installations and building of the apps for the end users. Setting them up depends solely on end users environment and use case, we can't really cover that.
What we're trying our hardest with every install is to make it run with a sensible set of defaults that user can work with in order to get their own setup configured.