Config for vaultwarden websocket support

Hello Guys!

I use opnsense for my homelab with haproxy as reverse proxy. I had setup all services and everything worked like a charm. I got a 100% test @SSLLabs in all 4 categories, but i didn’t get vaultwarden websocket working. Can anybody of you look at my config? I don’t find the issue.

Unfortunely nobod in the other forums like opnsense or vaultwarden know the issue :confused:
Here is my config.

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 
    bind 0.0.0.0:80 name 0.0.0.0:80 
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_636976fd9d4d71.97561865 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_636976fd9d4d71.97561865

# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/636aad8d3cbe18.58884679.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: nc_carddav
    acl acl_636ba4e5b6aa82.28881573 path_end -i /.well-known/carddav
    # ACL: nc_caldav
    acl acl_636ba2d9f14933.27250118 path_end -i /.well-known/caldav
    # ACL: vw_ws_acl01_condition
    acl acl_636c2f2b5accd9.55827620 path -i /notifications/hub
    # ACL: vw_ws_acl02_condition
    acl acl_636cc909734817.72974823 path -i /notifications/hub/negotiate

    # ACTION: nc_carddav_rule
    http-request redirect code 301 location /remote.php/dav if acl_636ba4e5b6aa82.28881573
    # ACTION: nc_caldav_rule
    http-request redirect code 301 location /remote.php/dav if acl_636ba2d9f14933.27250118
    # ACTION: vw_ws_acl01_rule
    use_backend vw_backend if acl_636c2f2b5accd9.55827620
    # ACTION: vw_ws_acl02_rule
    use_backend vw_ws_backend if acl_636cc909734817.72974823
    # ACTION: PUBLIC_SUBDOMAINS-map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63653d33935cd3.47503593.txt)] 

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: office_backend (Onlyoffice)
backend office_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server office_server 10.10.20.8:80 

# Backend: vw_backend (Vaultwarden)
backend vw_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server vw_server 10.10.20.7:80 

# Backend: mc_backend (Minecraft Server)
backend mc_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server mc_server 10.10.40.4:80 

# Backend: cloud_backend (Nextcloud01)
backend cloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server cloud_server 10.10.20.5:80 

# Backend: demo_backend (Nextcloud02)
backend demo_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server demo_server 10.10.20.6:80 

# Backend: kunden_backend (Nextcloud03)
backend kunden_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server kunden_server 10.10.20.11:80 

# Backend: vw_ws_backend (Vaultwarden Websocket)
backend vw_ws_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server vw_ws_server 10.10.20.7:3012 

Thank you!

With best regards,
techsolo12