bitwarden_rs not working behind traefik v2.2 (Bad Gateway)

Question

So I'm trying to add bitwarden_rs to my docker network but seems to fail hard.

I also have a nextcloud docker container running behind traefik (nextcloud.mydomain.com) which is working fine. But adding bitwarden with his own subdomain (bitwarden.mydomain.com) to traefik doesn't want to start working. I'm always getting a Bad Gateway error.

Traefik docker-compose

version: "3"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    command:
      - --log.level=DEBUG
      - --api.insecure
      - --api.dashboard
      - --providers.file.directory=/FileProvider/
      - --providers.file.watch=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.docker.endpoint=unix:///var/run/docker.sock 
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencryptresolver.acme.email=my@email.com
      - --certificatesresolvers.letsencryptresolver.acme.storage=./letsencrypt/acme.json
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.letsencryptresolver.acme.httpchallenge=true
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - ...
    networks:
      - local-lan
    labels:
      - --traefik.http.middlewares.https.redirectscheme.scheme=https
      - --traefik.http.routers.https_redirect.middlewares=https
      - --traefik.http.routers.https_redirect.rule=(Host(`bitwarden.mydomain.com`) || Host(`nextcloud.mydomain.com`))
      - --traefik.http.routers.https_redirect.entrypoints=web
      - --traefik.docker.network=local-lan

networks:
  local-lan:
      external: true

traefik dynamic config

middlewares:
  ncHeader:
    headers:
      customResponseHeaders:
        stsPreload: true
        stsSeconds: 15552000
  redirect:
    redirectScheme:
      scheme: https

bitwarden_rs docker-compose

version: '3'

services:
  bitwarden:
    image: bitwardenrs/server:latest
    container_name: bitwarden
    restart: always
    volumes:
      - /home/reggi/bitwarden/data:/data
    environment:
      - WEBSOCKET_ENABLED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - ADMIN_TOKEN=xxxxxxxxxxx
    ports:
      - 3012:3012
      - 4500:80
    networks:
      - local-lan
    labels:
      - traefik.enable=true
      - traefik.docker.network=local-lan
      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
      - traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http

      - traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
      - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-ui-https.tls=true
      - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
      - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui@docker

      - traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
      - traefik.http.routers.bitwarden-ui-http.entrypoints=web
      - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui@docker

      - traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-websocket-https.tls=true
      - traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
      - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
      - traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
      - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
      
networks:
 local-lan:
    external: true

Both containers are running fine with this configuration but for some reason, I get a Bad Gateway when I navigate to http(s)://bitwarden.mydomain.com.

When I navigate to my server IP:4500 bitwarden opens up meaning the docker container is running fine. In my traefik log I can find this error: time="2021-03-10T21:06:35Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 17.32.0.8:4500: connect: connection refused"

And when I do a simple curl to the bitwarden container from traefik container I get the same error: curl --verbose http://17.32.0.8:4500

For example, curl to my nextcloud container does work:

I tried a lot of stuff already but can't seem to figure it out. For nextcloud I could add a trusted proxy domain but that doesn't seem to be possible for bitwarden_rs if I'm not mistaken.

• Adding network label didn't help GitHub answer
• Using these config labels didn't help as well GitHub answer

Does someone know what I'm missing or doing wrong?

Answer 1

After some more investigation, I found my error.

I don't need to map port 80 outside your docker network, I just needed to expose it. So this works now:

version: '3'

services:
  bitwarden:
    image: bitwardenrs/server:latest
    container_name: bitwarden
    restart: always
    volumes:
      - /home/reggi/bitwarden/data:/data
    environment:
      - WEBSOCKET_ENABLED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - ADMIN_TOKEN=xxxxxxxxxxx
    expose:
      - 3012
      - 80
    networks:
      - local-lan
    labels:
      - traefik.enable=true
      - traefik.docker.network=local-lan
      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=4500
      - traefik.http.services.bitwarden-ui.loadbalancer.server.scheme=http

      - traefik.http.routers.bitwarden-ui-https.rule=Host(`bitwarden.mydomain.com`)
      - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-ui-https.tls=true
      - traefik.http.routers.bitwarden-ui-https.tls.certresolver=letsencryptresolver
      - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui@docker

      - traefik.http.routers.bitwarden-ui-http.rule=Host(`bitwarden.mydomain.com`)
      - traefik.http.routers.bitwarden-ui-http.entrypoints=web
      - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui@docker

      - traefik.http.routers.bitwarden-websocket-https.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
      - traefik.http.routers.bitwarden-websocket-https.tls=true
      - traefik.http.routers.bitwarden-websocket-https.tls.certresolver=letsencryptresolver
      - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
      - traefik.http.routers.bitwarden-websocket-http.rule=Host(`bitwarden.mydomain.com`) && Path(`/notifications/hub`)
      - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
      - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
      
networks:
 local-lan:
    external: true