# Proxy examples In this document, `` refers to the IP or domain where bitwarden_rs is accessible from. If both the proxy and bitwarden_rs are running in the same system, simply use `localhost`. The ports proxied by default are `80` for the web server and `3012` for the WebSocket server. The proxies are configured to listen in port `443` with HTTPS enabled, which is recommended. When using a proxy, it's preferrable to configure HTTPS at the proxy level and not at the application level, this way the WebSockets connection is also secured. ## Caddy ```nginx localhost:443 { # The negotiation endpoint is also proxied to Rocket proxy /notifications/hub/negotiate :80 { transparent } # Notifications redirected to the websockets server proxy /notifications/hub :3012 { websocket } # Proxy the Root directory to Rocket proxy / :80 { transparent } tls ${SSLCERTIFICATE} ${SSLKEY} } ``` ## Nginx (by shauder) ```nginx server { include conf.d/ssl/ssl.conf; listen 443 ssl http2; server_name vault.*; location /notifications/hub/negotiate { include conf.d/proxy-confs/proxy.conf; proxy_pass http://:80; } location / { include conf.d/proxy-confs/proxy.conf; proxy_pass http://:80; } location /notifications/hub { proxy_pass http://:3012/api/websocket; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ``` ## Apache (by fbartels) ```apache SSLEngine on ServerName bitwarden.$hostname.$domainname SSLCertificateFile ${SSLCERTIFICATE} SSLCertificateKeyFile ${SSLKEY} SSLCACertificateFile ${SSLCA} ${SSLCHAIN} ErrorLog \${APACHE_LOG_DIR}/bitwarden-error.log CustomLog \${APACHE_LOG_DIR}/bitwarden-access.log combined RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://:3012/$1 [P,L] ProxyPass / http://:80/ ProxyPreserveHost On ProxyRequests Off ```