Self-hosted Bitwarden instance (Vaultwarden) using Cloudflare Tunnel to expose the service
- Bitwarden self-hosted, with HAProxy as a reverse proxy
- Automatic HTTPS certificate, DNS record management Cloudflare Tunnel
- Blocking brute-force attempts with fail2ban and Cloudflare IP Rules
- Country-wide blocking through Cloudflare Firewall
Before you start, ensure you have the following:
- A VM/Compute Instance/VPS for hosting the service (External IP not required)
- Docker and Docker Compose installed
- Internet access/egress must be allowed
- A Cloudflare-managed Domain. Any domain registrar will work, but Cloudflare must be managing the DNS records for the domain.
SSH into VPS and clone this repo:
git clone https://github.com/n0k0m3/vaultwarden_cloudflare
cd vaultwarden_cloudflarecp .env.example .envI provide .env.template which should be copied to .env and filled out; filling it out is self-explanitory and requires certain values such as a domain name, Cloudflare API tokens, etc.
Be aware that there is an optional backup section that allows you to have an encrypted backup regularly backed up and emailed or synced to cloud storage. More documentation on this feature is available here.
fail2ban stops brute-force attempts at your vault. To configure how long a ban is and how many attempts will trigger a ban, edit fail2ban/jail.d/jail.local:
bantime = 6h <- how long to enforce the ip ban
maxretry = 5 <- number of times to retry until a ban occurs
This will work out of the box - no fail2ban configuration is needed unless you want e-mail alerts of bans. To enable this, enter the SMTP settings in .env, and follow the instructions in fail2ban/jail.d/jail.local by uncommenting and entering destemail and sender and uncommenting the action_mwl action in the vaultwaden and vaultwaden-admin jails in the same file.
To start up, use docker-compose:
docker network create cloudflared
docker-compose upYou can now use your browser to visit your new Bitwarden site.