Seeking Guidance: How to Self-Host Bitwarden with Cloudflare Integration
Hello there,
I'm diving into setting up Bitwarden on a Linode VPS and honestly, I'm pretty new to all this. I've got Docker and Ubuntu 23.04 up and running, and now I'm looking at adding Cloudflare into the mix for extra security. The thing is, I'm at a bit of a loss on where to even begin.
The initial setup was a breeze since the Bitwarden self-installer took care of the SSL configuration with Certbot and Let's Encrypt. But now, when it comes to integrating Cloudflare, especially for securing my domain and subdomains, I feel out of my depth.
I would really appreciate some guidance on:
The basics of integrating Cloudflare with a Bitwarden setup on Docker/Ubuntu.
Essential steps to secure my domain and subdomains with Cloudflare.
Any beginner-friendly resources or tips to help me navigate this new territory.
If anyone can point me in the right direction or share some beginner-friendly advice, it would mean a lot.
Thanks so much for your help!
Note: I am using a clouldflare owned Domain.
https://bitwarden.com/help/install-on-premise-linux/
Bitwarden
Linux Standard Deployment | Bitwarden Help Center
This article guides you through the process of installing and deploying the Bitwarden password manager to a Linux server.
59 Replies
Hey @Achllys
I'd be happy to help, there's a few things I'd do from here to harden your server and add Cloudflare into the mix.
Given this is a password manager, the most secure way to handle such a server is to block ALL incoming connections from everywhere (except for maybe your own IP for SSH purposes), and then use Cloudflare Tunnels to expose the Bitwarden app to the internet via an outbound only connection. This way, there's no possible way that anyone can compromise your server or access Bitwarden without going through Cloudflare.
You can block all incoming connections either through your cloud provider's dashboard, or by using iptables or UFW directly on the server.
You can follow the instructions to setup a tunnel here:
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/
After all this is done, you can add further WAF rules at Cloudflare to lock down who can access Bitwarden.
Create a remotely-managed tunnel (dashboard) ยท Cloudflare Zero Trus...
Follow this step-by-step guide to get your first tunnel up and running using Zero Trust.
@AlphaCentauri so, should I use the ssl with bitwarden still or what would you suggest? can they both work side by side?
I would continue to use the automated SSL configuration, mostly because it allows you to easily migrate away from Cloudflare if you ever need to without having to worry about configuring SSL at that point.
The Tunnel should work without you making any changes to your Bitwarden configuration.
thank you
if I bought a name through clouldflare would I do the nameservers of clouldflare there?
unsure though
Yes, if you purchase a domain through cloudflare, the nameservers are automatically set to your assigned ones
so, I can skip this thank you
@AlphaCentauri through docker or not?
What do you mean through Docker? Do you mean run the Cloudflare Tunnel via docker?
If so, yeah, that'll work just fine.
Though if you're not using Docker for Bitwarden then it probably makes more sense to just install Cloudflared on the host machine directly
What's better practice? I run most of my applicactions on docker?
There's no objective better option, it all depends on what best fits your use case. If you run most of your applications in Docker, then it makes perfect sense to choose Docker for Cloudflared too!
Oh, alright so now I'm confused. I did this. but
forgot to remove the 2 numbers of the ip in the ss 
So your second entry is incorrect as you won't have a protocol/prefix of HTTPs on Port 80, so you'll need to edit/delete that.
Also you don't need two entries, if your app is listening on port 80, you can just have one entry pointing to
http://localhost:80 and everything will work fine.local host would be my ip right?
You can actually just use localhost because Cloudflared can connect to your service via localhost as it's installed on the machine itself. Your public IP should also work, but using localhost makes migration a little easier.
hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Give me a moment, I'm going to read the guide you followed to understand how you've configured everything on your server ๐
im sorry lmao
Nah it's all good ๐
I have Bitwarden setup myself, but I use the much nicer Rust unofficial implementation called Vaultwarden which works much faster and easier tbh.
Alright, let's do a sanity check and I'll try to help you get this working.
Can you run
docker ps and send me a screenshot of what's running?
And also can you confirm that if you visit your server's IP address in the browser with HTTP, does it launch Bitwarden there?fixed it lol
it was https
Lol
Tbh the way you've setup Certbot isn't ideal because it needs to run on the same ports as Bitwarden to generate a certificate. It makes more sense to run a DNS challenge with Cloudflare API keys if you want to generate your own SSL certificate.
Or better yet, just use a self signed certificate or use HTTP only and let Cloudflare handle SSL for you which is much simpler
How would I do that I'm sorry ;-;
To make things much easier, I would remove Certbot completely and solely run Bitwarden on your server.
You can then specify
N for all the options relating to SSL certificates.
If you do that, all you then have to do is use the tunnel to proxy http://localhost:80 and everything will work perfectly.
If you read that last option, Cloudflare Tunnels will act as the HTTPS proxy so you can avoid all the extra complications.Did that website isn't up or anything
Can you run some troubleshooting steps for me and I'll help you get it working.
Firstly, if you type your server's IP in the browser like
http://1.2.3.4, does it launch the Bitwarden Web UI? You may have to ignore certificate warnings, but we need to ensure that it's actually live.It does not for some reason
Okay, so you'll need to troubleshoot Bitwarden itself in this case, as it doesn't seem to be running. It won't be a Cloudflare issue as there's nothing to proxy at the moment.
ah alright
If you want, I have some free time right now and can send you a fully configured docker-compose.yml file for Vaultwarden which should work out of the box
I wouldn't mind that actually I've wanted to get that working for awhile, but it was a bit too confusing for me as I'm pretty new to clouldflare and networking within linux
That's fair, I'll help you set it up as I'm procrastinating right now from my actual job and need something else to do ๐
Give me 5 minutes and I'll write a quick file for you that incorporates Bitwarden + Cloudflared
thank you :DDDDDDDD
mind sending me this one actually?
Sure thing, so first you'll need to first perform the following commands to remove your old containers and to set up the structure for Bitwarden:
Step 1:
docker stop $(docker ps -a -q)
(this stops ALL your Docker containers)
Step 2: mkdir -p /opt/achllys/containers/vaultwarden/data/
(this creates the persistent directory for your Vaultwarden data)
Step 3: cd /opt/achllys/ && touch docker-compose.yml
(this creates your docker-compose file)
Then, type nano /opt/achllys/docker-compose.yml and paste the following in:
You will need to replace PASTEYOURTOKENHERE with your Cloudflared token that starts with ey........
Then, run docker compose up -d and make sure your Tunnel is configured like before with http://localhost:80
And you should be able to access the Web UI
Let me know if you need any more help setting it up ๐Is the tunnel token this?
Nope
One sec
ah okay thank you ๐
Go to this page by clicking on the Tunnel and pressing Configure and find the token within the code box that starts with
ey
O
that
Do you see a long string starting with ey
Yup haha
You'll have to paste the entire thing in a text editor and extract the token
And paste just the token in the compose file
and the website no worky ;-;
Works for me ๐
Did you have to install anything else apart from the docker?
Can you type the following :
docker stop $(docker ps -a -q)
You shouldn't have two tunnels active
Then make sure that no docker containers are running by typing docker ps
Once you have confirmed that, type cd /opt/achllys/ && docker compose up -d
Then type docker ps again and make sure only two containers are active
OMG
TYSM
Hahaha ๐ congrats ๐
No worries at all! Glad I could help you get it working ๐
i appricate this so much ๐
You're most welcome haha! You caught me while I had some free time bored at work so I don't mind at all ๐
I can't wait to learn more about networking with clouldflare
@AlphaCentauri what do you use for emails? SMTP?
I don't use email as I only use Bitwarden internally, but yes, you can add the following to the bitwarden service in the docker-compose file to set up SMTP:
I get the email, but when I click verfiy the page is dead
What is the full URL in the browser?
http://localhost/#/verify-email/?userId=3a4dd047-a884-4158-acf4-76399a6588a5&token (token is shown)Nice, yeah you just need to use this updated docker compose file:
You just need to pass the real domain to Vaultwarden
hmm, now the website wont start after going back to the old config it works
Well, it's unreachable*
If you start it with the new config and type
docker logs bitwarden what shows up?
Did you make sure to replace PASTEYOURTOKENHERE in the new config?I did
version: '3.8'
services:
bitwarden:
container_name: bitwarden
image: vaultwarden/server:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
network_mode: host
volumes:
- /opt/achllys/containers/vaultwarden/data/:/data/
environment:
- SMTP_HOST=smtp-relay.brevo.com
- SMTP_FROM=vaultwarden@secure.achllys.net
- SMTP_PORT=587
- SMTP_SECURITY=starttls
- SMTP_USERNAME=
- SMTP_PASSWORD=
- DOMAIN="https://secure.achllys.net"
cloudflare_tunnel:
container_name: cloudflare_tunnel
image: cloudflare/cloudflared:latest
restart: unless-stopped
network_mode: hostInteresting, we are doing that.
Can you try renaming it to:
Or if that also fails, try (without quotes):
it was the quates it seems alls is working now ๐
Awesome!
Thank you ๐
Hmm, if I'd want to setup openziti what would I need to do through clouldflare?
https://openziti.io/
Dave Finger
Open Source Zero Trust Networking
Open Source Zero Trust Networking
OpenZiti is an open source zero trust network applying zero trust principles directly into applications through SDKs or to existing networks using tunnelers