I’m pretty new in this space, and have been tinkering around with some self-hosting for the last month or so, via Docker on an Ubuntu host. I’m pretty comfortable with Linux, but trying to learn reverse-proxy stuff. So, I thought my next project would be Vaultwarden, but I want to be able to access it from outside the network, and I need SSL working. I have gotten other dockers to be accessible from outside (http://bookstack.oaf.monster) using nginx manager, but the two I’ve tried with SSL (vik.oaf.monster and vault.oaf.monster) give me 502 Bad Gateway errors. So I know I’m configuring something incorrectly. Been trying to fix this as I’ve had time for the last week, and finally deciding I need to reach out for help! Any notes/tips/ideas are appreciated.

First and foremost, here’s what I see in the error log for nginx:

2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET / HTTP/2.0", upstream: "https://10.23.0.220:8006/", host: "vault.oaf.monster"
2023/08/21 16:54:29 [error] 3049756#3049756: *95695 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.23.0.32, server: vault.oaf.monster, request: "GET /favicon.ico HTTP/2.0", upstream: "https://10.23.0.220:8006/favicon.ico", host: "vault.oaf.monster", referrer: "https://vault.oaf.monster/"

I see it says wrong version number, but admittedly I have no idea what to do with that. Not experienced enough in SSL.

My NGINX config file for vaultwarden (I know how to use cat, but I don’t know how to manually edit this file if I need to… no vi on the docker!):

[root@docker-bf5d51784409:/data/nginx/proxy_host]# cat 7.conf
# ------------------------------------------------------------
# vault.oaf.monster
# ------------------------------------------------------------

server {
  set $forward_scheme https;
  set $server         "10.23.0.220";
  set $port           8006;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name vault.oaf.monster;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  access_log /data/logs/proxy-host-7_access.log proxy;
  error_log /data/logs/proxy-host-7_error.log warn;

  location / {
    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

This is my docker-compose for vaultwarden, in case it’s relevant:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.oaf.monster"  # Your domain; vaultwarden needs to know it's https to work properly with attachments
    volumes:
      - ./vw-data:/data
    ports:
      - 8006:80

And lastly, I took a few screenshots and put them here… might be useful. https://imgur.com/a/JRH9jXi

What am I doing wrong? I’m open to the idea that it might be multiple things. Thanks in advance!

  • I haven’t got time to take a decent look at this right now, but will try to make time later today. But I had nightmares getting Nginx Proxy Manager to behave reliably on my unraid box - with Vaultwarden (among other things) as well coincidentally. And subsequently I ended up switching to CaddyV2 as it ended up being easier to get running and has (touch wood) so far been more stable.