starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #740] Websocket with Traefik and docker compose #499

New issue
Closed
opened 2026-03-03 01:29:56 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 01:29:56 +03:00
Owner
Copy link

Originally created by @ZenoBell on GitHub (Nov 21, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/740

Hello guys,

i cant achieve to make the websocket to work. If i try to open https://domain.com/notifications/hub i'm getting the error "Internal Server Error" .If i change the label from ws to wss same error.

i don't know if it helps but i can see these errors too in the browser

``

X-Firefox-Spdy h2
access-control-allow-origin  
cache-control no-cache, no-store, max-age=0
cf-cache-status DYNAMIC
cf-ray 53b5ef0979acd111-TXL
content-length 385
content-security-policy frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;
content-type application/json
date Mon, 25 Nov 2019 19:12:22 GMT
expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
feature-policy accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'
referrer-policy same-origin
server cloudflare
x-content-type-options nosniff
x-frame-options SAMEORIGIN
x-xss-protection 1; mode=block

``
Also from what i read Cloudflare SSL fully supports WebSockets traffic passing through their network so it shouldn't be an issue.

In the raw data i can see this

{"ErrorModel":{"Message":"'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info."]},"error":"","error_description":""}

and in the logs


[2019-11-25 19:12:16][_][INFO] Matched: GET /notifications/hub (websockets_err)
[2019-11-25 19:12:16][bitwarden_rs::error][ERROR] '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.. '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.
[2019-11-25 19:12:16][_][INFO] Outcome: Success
[2019-11-25 19:12:16][_][INFO] Response succeeded.
[2019-11-25 19:12:22][rocket::rocket][INFO] GET /notifications/hub text/html:
[2019-11-25 19:12:22][_][INFO] Matched: GET /notifications/hub (websockets_err)
[2019-11-25 19:12:22][bitwarden_rs::error][ERROR] '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.. '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.
[2019-11-25 19:12:22][_][INFO] Outcome: Success



  bitwarden:
    image: bitwardenrs/server
    container_name: bitwarden
    restart: always
    ports:
     - "3300:80"
    networks:
      - traefik_proxy
    volumes:
      - ./bw-data:/data
    environment:
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups
      ADMIN_TOKEN: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
      SMTP_HOST: 'smtp.gmail.com'
      SMTP_FROM: 'bitwarden@domaincom'
      SMTP_PORT: '587'
      SMTP_SSL: 'true'
      SMTP_USERNAME: 'blabla@gmail.com'
      SMTP_PASSWORD: 'xxxxxxxxxxxxxxxxxxxxxx'
      DOMAIN: 'https://bitwarden.domain.com'
      LOG_FILE: '/data/log'
      EXTENDED_LOGGING: 'true'

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.web.frontend.rule=Host:bitwarden.domain.com"
      - "traefik.web.port=80"
      - "traefik.hub.frontend.rule=Host:bitwarden.domain.com;Path:/notifications/hub"
      - "traefik.hub.port=3012"
      - "traefik.hub.protocol=ws"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=bitwarden.domain.com"
      - "traefik.frontend.headers.SSLForceHost=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      - "traefik.frontend.headers.frameDeny=true"

Any idea ? Thanx !

Originally created by @ZenoBell on GitHub (Nov 21, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/740 Hello guys, i cant achieve to make the websocket to work. If i try to open https://domain.com/notifications/hub i'm getting the error "Internal Server Error" .If i change the label from ws to wss same error. i don't know if it helps but i can see these errors too in the browser `` X-Firefox-Spdy | h2 -- | -- access-control-allow-origin |   cache-control | no-cache, no-store, max-age=0 cf-cache-status | DYNAMIC cf-ray | 53b5ef0979acd111-TXL content-length | 385 content-security-policy | frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*; content-type | application/json date | Mon, 25 Nov 2019 19:12:22 GMT expect-ct | max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" feature-policy | accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none' referrer-policy | same-origin server | cloudflare x-content-type-options | nosniff x-frame-options | SAMEORIGIN x-xss-protection | 1; mode=block `` Also from what i read Cloudflare SSL fully supports WebSockets traffic passing through their network so it shouldn't be an issue. In the raw data i can see this ``` {"ErrorModel":{"Message":"'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["'/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info."]},"error":"","error_description":""} ``` and in the logs ``` [2019-11-25 19:12:16][_][INFO] Matched: GET /notifications/hub (websockets_err) [2019-11-25 19:12:16][bitwarden_rs::error][ERROR] '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.. '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info. [2019-11-25 19:12:16][_][INFO] Outcome: Success [2019-11-25 19:12:16][_][INFO] Response succeeded. [2019-11-25 19:12:22][rocket::rocket][INFO] GET /notifications/hub text/html: [2019-11-25 19:12:22][_][INFO] Matched: GET /notifications/hub (websockets_err) [2019-11-25 19:12:22][bitwarden_rs::error][ERROR] '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info.. '/notifications/hub' should be proxied to the websocket server or notifications won't work. Go to the README for more info. [2019-11-25 19:12:22][_][INFO] Outcome: Success ``` ``` bitwarden: image: bitwardenrs/server container_name: bitwarden restart: always ports: - "3300:80" networks: - traefik_proxy volumes: - ./bw-data:/data environment: WEBSOCKET_ENABLED: 'true' # Required to use websockets SIGNUPS_ALLOWED: 'true' # set to false to disable signups ADMIN_TOKEN: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' SMTP_HOST: 'smtp.gmail.com' SMTP_FROM: 'bitwarden@domaincom' SMTP_PORT: '587' SMTP_SSL: 'true' SMTP_USERNAME: 'blabla@gmail.com' SMTP_PASSWORD: 'xxxxxxxxxxxxxxxxxxxxxx' DOMAIN: 'https://bitwarden.domain.com' LOG_FILE: '/data/log' EXTENDED_LOGGING: 'true' labels: - "traefik.enable=true" - "traefik.docker.network=traefik_proxy" - "traefik.web.frontend.rule=Host:bitwarden.domain.com" - "traefik.web.port=80" - "traefik.hub.frontend.rule=Host:bitwarden.domain.com;Path:/notifications/hub" - "traefik.hub.port=3012" - "traefik.hub.protocol=ws" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=bitwarden.domain.com" - "traefik.frontend.headers.SSLForceHost=true" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - "traefik.frontend.headers.frameDeny=true" ``` Any idea ? Thanx !
kerem closed this issue 2026-03-03 01:29:56 +03:00
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@NLLucifer commented on GitHub (Jan 24, 2020):

Same problem here. Still can't find a sollution

<!-- gh-comment-id:578220444 --> @NLLucifer commented on GitHub (Jan 24, 2020): Same problem here. Still can't find a sollution
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@eric-pierce commented on GitHub (Feb 5, 2020):

@sesshomaru86 what appears to have fixed it for me was to disable traefik.backend=bitwarden_rs, but I don't see that listed as a label in your docker compose file. Here's the thread where I found my answer: https://github.com/dani-garcia/bitwarden_rs/issues/453#issuecomment-482522679
cc @NLLucifer

<!-- gh-comment-id:582662833 --> @eric-pierce commented on GitHub (Feb 5, 2020): @sesshomaru86 what appears to have fixed it for me was to disable traefik.backend=bitwarden_rs, but I don't see that listed as a label in your docker compose file. Here's the thread where I found my answer: https://github.com/dani-garcia/bitwarden_rs/issues/453#issuecomment-482522679 cc @NLLucifer
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@NLLucifer commented on GitHub (Feb 6, 2020):

Worked for me, Thanks @eric-pierce

<!-- gh-comment-id:582916162 --> @NLLucifer commented on GitHub (Feb 6, 2020): Worked for me, Thanks @eric-pierce
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@ZenoBell commented on GitHub (Feb 6, 2020):

yep in the wiki there is an example also based on traefik v1

labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.web.frontend.rule=Host:bitwarden.domain.tld
- traefik.web.port=80
- traefik.hub.frontend.rule=Host:bitwarden.domain.tld;Path:/notifications/hub
- traefik.hub.port=3012
- traefik.hub.protocol=ws

so that's why from the beginning i didnt include the label traefik.backend.

if is it possible @eric-pierce @NLLucifer could you guys both post your docker compose configuration so maybe i will get to figure out why mine doesnt work ? Thanx !

<!-- gh-comment-id:583165866 --> @ZenoBell commented on GitHub (Feb 6, 2020): yep in the wiki there is an example also based on traefik v1 labels: - traefik.enable=true - traefik.docker.network=traefik - traefik.web.frontend.rule=Host:bitwarden.domain.tld - traefik.web.port=80 - traefik.hub.frontend.rule=Host:bitwarden.domain.tld;Path:/notifications/hub - traefik.hub.port=3012 - traefik.hub.protocol=ws so that's why from the beginning i didnt include the label traefik.backend. if is it possible @eric-pierce @NLLucifer could you guys both post your docker compose configuration so maybe i will get to figure out why mine doesnt work ? Thanx !
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@eric-pierce commented on GitHub (Feb 7, 2020):

@sesshomaru86 happy to share, I'm still using docker 1.7 but will eventually upgrade to 2.x

bitwarden:
image: bitwardenrs/server:latest
restart: always
volumes:
- ./bw-data:/data
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WEBSOCKET_ENABLED=true # Required to use websockets
- SIGNUPS_ALLOWED=false # set to false to disable signups
- SMTP_EXPLICIT_TLS=true
- SMTP_HOST=${SMTP_HOST}
- SMTP_FROM=${SMTP_FROM}
- SMTP_PORT=${SMTP_PORT}
- SMTP_SSL=true
- SMTP_USERNAME=${SMTP_USERNAME}
- SMTP_PASSWORD=${SMTP_PASSWORD}
- DOMAIN=bitwarden.${DOMAINNAME}
- TZ=${TZ}
ports:
- 8099:80
- 3012:3012
labels:
- "traefik.enable=true"
- "traefik.web.frontend.rule=Host:bitwarden.${DOMAINNAME}"
- "traefik.web.port=80"
- "traefik.hub.frontend.rule=Host:bitwarden.${DOMAINNAME};Path:/notifications/hub"
- "traefik.hub.port=3012"
- "traefik.hub.protocol=ws"
- "traefik.docker.network=traefik"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"

<!-- gh-comment-id:583201975 --> @eric-pierce commented on GitHub (Feb 7, 2020): @sesshomaru86 happy to share, I'm still using docker 1.7 but will eventually upgrade to 2.x bitwarden: image: bitwardenrs/server:latest restart: always volumes: - ./bw-data:/data - /var/run/docker.sock:/var/run/docker.sock environment: - WEBSOCKET_ENABLED=true # Required to use websockets - SIGNUPS_ALLOWED=false # set to false to disable signups - SMTP_EXPLICIT_TLS=true - SMTP_HOST=${SMTP_HOST} - SMTP_FROM=${SMTP_FROM} - SMTP_PORT=${SMTP_PORT} - SMTP_SSL=true - SMTP_USERNAME=${SMTP_USERNAME} - SMTP_PASSWORD=${SMTP_PASSWORD} - DOMAIN=bitwarden.${DOMAINNAME} - TZ=${TZ} ports: - 8099:80 - 3012:3012 labels: - "traefik.enable=true" - "traefik.web.frontend.rule=Host:bitwarden.${DOMAINNAME}" - "traefik.web.port=80" - "traefik.hub.frontend.rule=Host:bitwarden.${DOMAINNAME};Path:/notifications/hub" - "traefik.hub.port=3012" - "traefik.hub.protocol=ws" - "traefik.docker.network=traefik" - "traefik.frontend.headers.SSLRedirect=true" - "traefik.frontend.headers.STSSeconds=315360000" - "traefik.frontend.headers.browserXSSFilter=true" - "traefik.frontend.headers.contentTypeNosniff=true" - "traefik.frontend.headers.forceSTSHeader=true" - "traefik.frontend.headers.SSLHost=${DOMAINNAME}" - "traefik.frontend.headers.STSIncludeSubdomains=true" - "traefik.frontend.headers.STSPreload=true" - "traefik.frontend.headers.frameDeny=true"
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@ZenoBell commented on GitHub (Feb 9, 2020):

Thanx @eric-pierce ! i just uncommented the lines to match yours and magically this time worked. The only new line that i added was traefik.frontend.headers.frameDeny=true" . Also i updated to the latest bw image. Don't know exactly what did the trick but it worked !.. 1000x thanx once again!

<!-- gh-comment-id:583842962 --> @ZenoBell commented on GitHub (Feb 9, 2020): Thanx @eric-pierce ! i just uncommented the lines to match yours and magically this time worked. The only new line that i added was traefik.frontend.headers.frameDeny=true" . Also i updated to the latest bw image. Don't know exactly what did the trick but it worked !.. 1000x thanx once again!
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@fmoledina commented on GitHub (Apr 12, 2020):

@eric-pierce , I'm just setting this up on my end and using your compose snippet as a guide. Any reason why you need /var/run/docker.sock:/var/run/docker.sock in your volumes list for bitwarden_rs? I've copied the rest of your lines, and my instance works without that docker.sock line.

<!-- gh-comment-id:612678102 --> @fmoledina commented on GitHub (Apr 12, 2020): @eric-pierce , I'm just setting this up on my end and using your compose snippet as a guide. Any reason why you need ` /var/run/docker.sock:/var/run/docker.sock` in your volumes list for bitwarden_rs? I've copied the rest of your lines, and my instance works without that `docker.sock` line.
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@eric-pierce commented on GitHub (Apr 12, 2020):

Any reason why you need /var/run/docker.sock:/var/run/docker.sock in your volumes list for bitwarden_rs?

It isn’t required, I tend to include it for docker containers to allow control of the docker daemon from outside the container, more info here https://medium.com/better-programming/about-var-run-docker-sock-3bfd276e12fd

<!-- gh-comment-id:612686484 --> @eric-pierce commented on GitHub (Apr 12, 2020): > Any reason why you need ` /var/run/docker.sock:/var/run/docker.sock` in your volumes list for bitwarden_rs? It isn’t required, I tend to include it for docker containers to allow control of the docker daemon from outside the container, more info here https://medium.com/better-programming/about-var-run-docker-sock-3bfd276e12fd
kerem commented 2026-03-03 01:29:57 +03:00
Author
Owner
Copy link

@fmoledina commented on GitHub (Apr 13, 2020):

It isn’t required, I tend to include it for docker containers to allow control of the docker daemon from outside the container, more info here https://medium.com/better-programming/about-var-run-docker-sock-3bfd276e12fd

Right. I understand the use of the socket for monitoring and manipulating Docker on the host. I guess I only use it for a handful of containers, including Traefik, Portainer, and Watchtower. I'll leave it off of my bitwarden_rs instance as I don't think it uses it. Thanks for the prompt response!

<!-- gh-comment-id:612727280 --> @fmoledina commented on GitHub (Apr 13, 2020): > It isn’t required, I tend to include it for docker containers to allow control of the docker daemon from outside the container, more info here https://medium.com/better-programming/about-var-run-docker-sock-3bfd276e12fd Right. I understand the use of the socket for monitoring and manipulating Docker on the host. I guess I only use it for a handful of containers, including Traefik, Portainer, and Watchtower. I'll leave it off of my bitwarden_rs instance as I don't think it uses it. Thanks for the prompt response!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#499
No description provided.