HAproxy for local offline vaultwarden

Hello all. I’m trying to break my dependency of my vaultwarden docker having to use a reverse proxy on my NAS to function (have working SSL).

My current setup:

  • Domain and DNS via cloudflare (for this post lets call my domain “mydomain.net”)
  • pfSense router, port forwarding internet traffic for “mydomain.net:5432” to the synology reverse proxy
  • synology docker build of vaultwarden
  • SSL via synology GUI
  • To renew the SSL I re-open a disabled firewall rule, then close it back up.
  • Daily functionality of using vaultwarden (the bitwarden app on phone and browsers, web admin etc) relies on this internet connection (SSL).

What I would like:

I followed @LTS_Tom 's video here:

As well as further clarification from Raid Owl’s vid of pretty much the same process.

I’ve gotten to the point of inputting the cloudflare API information in and obtaining a valid cert, and building out an HAproxy backend and front end. All that said, when I close up the port forwarding I loose sync functionality.

What am I missing as far as being able to successfully ‘break’ that link to the outside world, making it so my vaultwarden only works for LAN connected devices and/or with tailscale?

Do I need to use pfSense DNS resolver for a host override?

Yes, if you use a wildcard domain cert you can then have valid internal sub domains that have internal IP and then use the DNS host overides.

1 Like

Wow thanks for such a fast reply.

Doesn’t Learn Linux TV have a video on this as well? I can’t find it anywhere.

I’ll try wildcard, but why doesn’t the specific DNS (example.mydomain.net) work in this case? It all works until I sever the port forward (even after inputting a host override in pfsense). Note I’m not using standard port 443 for vaultwarden so there shouldn’t be an issue not changing pfSense’s webUI correct?

I’m not sure why you put for the DNS Resolver/General Settings/Edit Host Override for your freenas, but when I put my clients IP address there I know at least have routing success, but no SSL:


Welp, SSL isn’t working but apparently the android app and browser add-ons don’t need that element, they route and sync.

I just can’t access the web vault via browsers due to SSL and that is not a bit/vaultwarden thing but browser requirement.

The DNS needs to point to HAProxy

1 Like

I tap out. Between docker being on synology, its reverse proxy, pfsense, turning off ha_proxy, cloudflare etc etc I’ve strung a string of band-aids and spray and prays and now I can access the web vault when I accept the self signed cert, and andoid app syncs but strangely the browser add-ons sync fails. I might just stop here, its been (no lie) 1.5 days of trying to figure this out. I’m ashamed to admit I work in IT but this has me whipped.

  • Edit user error