'/%3e%3c/g%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_91_7909'%20x1='2.80579'%20y1='2.93848'%20x2='14.3838'%20y2='4.55824'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%231198B9'/%3e%3cstop%20offset='0.0001'%20stop-color='%230F9DB8'/%3e%3cstop%20offset='1'%20stop-color='%232468C0'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
'/%3e%3c/g%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_91_7889'%20x1='4.20874'%20y1='4.40771'%20x2='21.5757'%20y2='6.83736'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%231198B9'/%3e%3cstop%20offset='0.0001'%20stop-color='%230F9DB8'/%3e%3cstop%20offset='1'%20stop-color='%232468C0'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Back
Vaultwarden is a lightweight, self-hosted password manager server compatible with Bitwarden clients. It is a popular choice for users who want the convenience of Bitwarden without the higher resource demands of the official server stack. When paired with Docker and Caddy, Vaultwarden becomes easy to deploy, secure, and maintain on Ubuntu 24.04. In this guide, you will learn how to install Vaultwarden on Ubuntu 24.04 using Docker containers and configure Caddy as a reverse proxy with automatic HTTPS.
Why use Vaultwarden with Docker and Caddy
Running Vaultwarden in Docker simplifies deployment and future maintenance. Containers isolate the application, make upgrades easier, and help keep the host system clean. Caddy is an excellent companion because it can automatically obtain and renew SSL certificates from Let’s Encrypt, while also acting as a secure reverse proxy for your Vaultwarden instance.
- Vaultwarden provides a fast and efficient self-hosted password manager.
- Docker makes application deployment consistent and portable.
- Caddy handles HTTPS automatically and forwards traffic to the Vaultwarden container.
Prerequisites
Before you begin, make sure your server environment is ready.
- A fresh Ubuntu 24.04 server
- Root access or a user with sudo privileges
- A domain or subdomain pointed to your server, such as
vaultwarden.example.com - Ports 80 and 443 open in your firewall
Install required packages
The first step is to install the basic packages needed to add the Docker repository securely.
apt install ca-certificates curl gnupg -y
Install Docker on Ubuntu 24.04
Next, add Docker’s official GPG key and repository, then install the latest Docker Engine and related tools.
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo ${UBUNTU_CODENAME:-$VERSION_CODENAME}) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update
apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
After installation, confirm that Docker is available.
docker --version
If everything is working properly, the command will return the installed Docker version.
Create a dedicated system user
For better organization, it is a good idea to run the deployment under a dedicated user account instead of using root directly.
useradd -G docker,sudo -s /bin/bash -m -d /opt/master master
passwd master
Switch to the new user before continuing.
su - master
Prepare the Vaultwarden project directories
Create the directory structure that will hold Vaultwarden data and Caddy configuration files.
mkdir ~/vaultwarden/{vw-data,caddy,caddy-config,caddy-data} -p
cd ~/vaultwarden
Create the Docker Compose configuration
Create a new file named docker-compose.yaml inside the project directory.
nano docker-compose.yaml
Add the following configuration to the file:
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- WEBSOCKET_ENABLED=true
volumes:
- ./vw-data:/data
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy:/etc/caddy:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment:
- DOMAIN=https://vaultwarden.yourdomain.com
- EMAIL=you@yourdomain.com
- LOG_FILE=/data/access.log
Replace vaultwarden.yourdomain.com with your actual domain name and update the email address with one you control. Be careful with spacing and indentation because YAML is sensitive to formatting.
Create the Caddy configuration file
Now create the Caddy configuration that will enable HTTPS and forward requests to Vaultwarden.
nano ~/vaultwarden/caddy/Caddyfile
Paste the following content into the file:
{$DOMAIN}:443 {
log {
level INFO
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
tls {$EMAIL}
encode gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Robots-Tag "none"
-Server
}
reverse_proxy /notifications/hub vaultwarden:3012
reverse_proxy vaultwarden:80 {
header_up X-Real-IP {remote_host}
}
}
This configuration tells Caddy to secure your Vaultwarden site with HTTPS, compress responses, apply several security headers, and correctly proxy standard web traffic and WebSocket notifications.
Start Vaultwarden and Caddy
Once both configuration files are in place, launch the containers in detached mode.
docker compose up -d
Docker will download the required images, create the network, and start both services. When the process completes successfully, your self-hosted password manager should be available at your configured domain.
Open Vaultwarden in your browser
Visit your site at https://vaultwarden.yourdomain.com. If DNS is configured correctly and ports 80 and 443 are reachable, Caddy will automatically request and install an SSL certificate.
You can now create your first account by selecting the registration option on the login page. During setup, choose a strong master password, ideally 12 characters or longer, with a combination of letters, numbers, and symbols.
Connect Bitwarden-compatible clients
One of the main advantages of Vaultwarden is compatibility with Bitwarden apps and browser extensions. After your account is created, install a supported client such as the browser extension from the Chrome Web Store or the official mobile app.
When signing in, select the self-hosted option and enter your Vaultwarden server URL. After authentication, your vault will sync with your private server instead of the public Bitwarden cloud.
Tips for a more secure deployment
After installation, consider tightening security even further.
- Disable public signups after creating your account if only you or your team will use the server
- Keep Docker images updated regularly
- Back up the
vw-datadirectory frequently - Use a strong master password and enable two-factor authentication where possible
- Monitor Caddy and Docker logs for unusual activity
Conclusion
Installing Vaultwarden on Ubuntu 24.04 with Docker and Caddy is an efficient way to build a secure, self-hosted password manager with automatic HTTPS. This setup combines the lightweight performance of Vaultwarden, the flexibility of Docker containers, and the convenience of Caddy’s built-in SSL automation. Once deployed, you can access your vault from compatible desktop, browser, and mobile clients while maintaining full control over your data.
If you want a private password management solution that is easy to maintain and cost-effective, Vaultwarden on Ubuntu 24.04 is an excellent option.
