vaultwarden docker compose file with matching https to http forwarder for use in the internet network without https port forwarding to the outside.

vaultwarden_docker-compose.yml

version: "3.2"
services:
  bitwarden:
    image: vaultwarden/server:latest
    restart: always
    ports:
      - "80:80"
    environment:
      - ADMIN_TOKEN=YOURPASSWORD
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
      - INVITATIONS_ALLOWED=false
      - LOG_FILE=/data/vaultwarden.log
      - LOG_LEVEL=warn
      - EXTENDED_LOGGING=true
#      - SMTP_HOST="<smtp.domain.tld>"
#      - SMTP_FROM="<vaultwarden@domain.tld>"
#      - SMTP_PORT="587"
#      - SMTP_SECURITY="starttls"
#      - SMTP_USERNAME="<username>"
#      - SMTP_PASSWORD="<password>"
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    volumes:
      - ./data:/data
    networks:
      - proxy_net
      - backend

  nginx:
    image: nginx:latest
    restart: always
    ports:
#      - "80:80"
      - "443:443"
    volumes:
      # nginx conf
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      # nginx certs: key = "nginx.key"; cert = "nginx.crt"
      - ./certs:/etc/nginx/ssl:ro
#      # certbot web content
#      - ./certbot/www:/var/www/certbot:ro
    networks: 
      - proxy_net
    depends_on:
      - bitwarden
#      - certbot

#  certbot:
#    image: certbot/certbot:latest
#    volumes:
#      - ./certbot/conf:/etc/letsencrypt
#      - ./certbot/www:/var/www/certbot
#      - ./certs:/output
#      - ./certbot/custom-root-ca.pem:/usr/local/share/ca-certificates/custom-root-ca.pem:ro
#    entrypoint: /bin/sh
#    environment:
#      - CUSTOM_CERT_MAIL=admin@vaultwarden.test.com
#      - CUSTOM_CERT_ACME=https://acme.example.local/directory
#      - CUSTOM_CERT_DOMAIN=vaultwarden.test.com 
#    command: >
#      -c "
#      update-ca-certificates &&
#      certbot certonly
#        --webroot
#        --webroot-path /var/www/certbot
#        --non-interactive
#        --agree-tos
#        --email ${CUSTOM_CERT_MAIL}
#        --server ${CUSTOM_CERT_ACME}
#        --preferred-challenges http
#        -d ${CUSTOM_CERT_DOMAIN} &&
#      cp /etc/letsencrypt/live/${CUSTOM_CERT_DOMAIN}/fullchain.pem /output/nginx.crt &&
#      cp /etc/letsencrypt/live/${CUSTOM_CERT_DOMAIN}/privkey.pem /output/nginx.key
#      "
#    networks:
#      - proxy_net

networks:
  proxy_net:
  backend:

vaultwarden_nginx.conf

events { }

http {
#    server {
#        listen 80;
#        server_name vaultwarden.test.com;
#
#        location /.well-known/acme-challenge/ {
#            root /var/www/certbot;
#        }
#
#        location / {
#            return 301 https://$host$request_uri;
#        }

    server {
        listen 443 ssl;
        server_name vaultwarden.test.com;

        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
            proxy_pass http://bitwarden:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

vaultwarden_readme.md

Vaultwarden Docker Compose

instructions for creating and renewing self-created certificates

• create

mkdir certs && cd certs && \ 
  openssl req -x509 -newkey rsa:4096 -keyout nginx.key -out nginx.crt -days 365 -nodes -subj "/CN=vaultwarden.test.com"

• nenew

cd certs && \ 
  openssl req -new -key nginx.key -out nginx.csr -subj "/CN=vaultwarden.test.com" && \ 
  openssl x509 -req -in nginx.csr -signkey nginx.key -out nginx.crt -days 365