This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/GreatRoxy on 2024-09-20 07:12:57+00:00.


Hi everyone,

I’m curious about best practices for self-hosting a password manager like Bitwarden or Vaultwarden. Do you expose your instance to the internet using a public FQDN, or do you prefer alternatives like VPN (e.g., WireGuard)?

For those using a reverse proxy, are you setting up Nginx Proxy Manager (NPM) to point to http://local-bitwarden-service and using SSL with Let’s Encrypt? Or do you create a self-signed certificate (or use Cloudflare’s origin cert) and set NPM to route to https://local-bitwarden-service?

Lastly, do any of you use Cloudflare proxy DNS or Cloudflared Tunnels to enhance security and privacy?

I’m planning to share the password manager with family members, who will access it via browser extensions and mobile apps. Any advice on security, configuration, or alternative setups would be greatly appreciated!

Thanks in advance for your insights!

  • Adincar
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 months ago

    For anyone reading this best practice is to put it behind a VPN or something similar, I personally have it setup as a subdomain (bitwarden.domain.com) using nginx proxy manager to sign using let’s encrypt.

    In saying that I’m in the middle of migrating everything to swag (which is pure nginx with fail2ban built in) just to make management of some other things easier.

    I will say if you do set it up public facing, make sure you disable signups for both security and to stop random people from using your server.