# Proxy examples

In this document, `<SERVER>` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`.
The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended.

When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured.

## Caddy

```nginx
localhost:443 {
    # The negotiation endpoint is also proxied to Rocket
    proxy /notifications/hub/negotiate <SERVER>:80 {
        transparent
    }
    
    # Notifications redirected to the websockets server
    proxy /notifications/hub <SERVER>:3012 {
        websocket
    }
    
    # Proxy the Root directory to Rocket
    proxy / <SERVER>:80 {
        transparent
    }

    tls ${SSLCERTIFICATE} ${SSLKEY}
}
```

## Nginx (by shauder)
```nginx
server {
  include conf.d/ssl/ssl.conf;

  listen 443 ssl http2;
  server_name vault.*;

  location /notifications/hub/negotiate {
    include conf.d/proxy-confs/proxy.conf;
    proxy_pass http://<SERVER>:80;
  }

  location / {
    include conf.d/proxy-confs/proxy.conf;
    proxy_pass http://<SERVER>:80;
  }

  location /notifications/hub {
    proxy_pass http://<SERVER>:3012/api/websocket;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
```

## Apache (by fbartels)
```apache
<VirtualHost *:443>
    SSLEngine on
    ServerName bitwarden.$hostname.$domainname

    SSLCertificateFile ${SSLCERTIFICATE}
    SSLCertificateKeyFile ${SSLKEY}
    SSLCACertificateFile ${SSLCA}
    ${SSLCHAIN}

    ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log
    CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://<SERVER>:3012/$1 [P,L]

    ProxyPass / http://<SERVER>:80/

    ProxyPreserveHost On
    ProxyRequests Off
</VirtualHost>
```

## Traefik (docker-compose example)
```traefik
    labels:
      - 'traefik.frontend.rule=Host:vault.example.local'
      - 'traefik.docker.network=traefik'
      - 'traefik.port=80'
      - 'traefik.enable=true'
      - 'traefik.web.frontend.rule=Host:vault.example.local'
      - 'traefik.web.port=80'
      - 'traefik.hub.frontend.rule=Path:/notifications/hub'
      - 'traefik.hub.port=3012'
      - 'traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate'
      - 'traefik.negotiate.port=80'
```