Passbolt-CE Docker in subfolder: Links incorrect

martinkoehler · March 19, 2026, 7:16am

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

This issue is identical to https://github.com/passbolt/passbolt_docker/issues/250. Sorry for the crosspost.

martinkoehler · March 19, 2026, 7:21am

When I install Passbolt_docker and configure it to use a subdirectory, the inital redirect is wrong:

Steps to reproduce:

Download curl -LO https://download.passbolt.com/ce/docker/docker-compose-ce.yaml
Edit it according to the documentation for running in a subdirectory:

21c21,27
<       APP_FULL_BASE_URL: https://passbolt.local
---
>       # External URL as seen by users
>       APP_FULL_BASE_URL: "https://passbolt.intern/passbolt"
>       APP_BASE_URL: "/passbolt"      
>       APP_DEFAULT_LOCALE: "de_DE"
>       APP_DEFAULT_TIMEZONE: "Europe/Berlin"
>       PASSBOLT_SSL_FORCE: "false"
>       PASSBOLT_SECURITY_PROXIES_ACTIVE: "true"
39,40c45
<       - 80:80
<       - 443:443
---
>       - "127.0.0.1:8081:80"

resulting docker file is:

cat docker-compose-ce.yaml.new                
services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      # External URL as seen by users
      APP_FULL_BASE_URL: "https://passbolt.intern/passbolt"
      APP_BASE_URL: "/passbolt"      
      APP_DEFAULT_LOCALE: "de_DE"
      APP_DEFAULT_TIMEZONE: "Europe/Berlin"
      PASSBOLT_SSL_FORCE: "false"
      PASSBOLT_SECURITY_PROXIES_ACTIVE: "true"
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - "127.0.0.1:8081:80"
    #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Fire it up:
docker compose -f docker-compose-ce.yaml up db, wait for the Database to be initialised, Then
docker compose -f docker-compose-ce.yaml up -d.

Result: Container starts and Passbolt is running and listening on 127.0.0.1:8081
NB: Currently passbolt/passbolt:latest-ce is passbolt/passbolt:5.10.0-1-ce

Observered behavoir

When I access passbolt via wget I get:

get -O - http://127.0.0.1:8081               
--2026-03-18 17:59:16--  http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 302 Found
Location: /auth/login?redirect=%2F [following]
--2026-03-18 17:59:16--  http://127.0.0.1:8081/auth/login?redirect=%2F
Reusing existing connection to 127.0.0.1:8081.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘STDOUT’

-                       [<=>                 ]       0  --.-KB/s               <!doctype html>
<html class="passbolt no-js version launching no-passboltplugin" lang="en">
<head>
    <meta charset="utf-8">
    <title>Passbolt | Open source password manager for teams</title>
    <!--

        ____                  __          ____
       / __ \____  _____ ____/ /_  ____  / / /_
      / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
     / ____/ /_/ (__  )__  ) /_/ / /_/ / / /_
    /_/    \__,_/____/____/_.___/\____/_/\__/

    Open source password manager for teams
    Copyright (c) Passbolt SA (https://www.passbolt.com)


    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as
    published by the Free Software Foundation, either version 3 of the
    License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program. If not, see http://www.gnu.org/licenses/.


    -->
    <meta name="description" content="Open source password manager for teams">
    <meta name="keywords" content="Passbolt, password manager, online password manager, open source password manager">
    <meta name="robots" content="noindex, nofollow">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="shortcut icon" type="image/x-icon" href="https://passbolt.intern/passbolt/favicon.ico" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon.svg" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_32.png" sizes="32x32" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_57.png" sizes="57x57" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_76.png" sizes="76x76" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_96.png" sizes="96x96" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_128.png" sizes="128x128" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_192.png" sizes="192x192" />
    <link rel="icon" href="https://passbolt.intern/passbolt/favicon_228.png" sizes="228x228" />
    <base href="https://passbolt.intern/passbolt/">
        <script src="https://passbolt.intern/passbolt/js/app/stylesheet.js?v=5.10.0" id="stylesheet-manager" data-file="api_authentication.min.css" cache-version="5.10.0"></script></head>
<body spellcheck="false">
<!-- main -->
<div id="container" class="page ">
</div>
<script src="https://passbolt.intern/passbolt/js/app/api-vendors.js?v=5.10.0" cache-version="5.10.0"></script><script src="https://passbolt.intern/passbolt/js/app/api-triage.js?v=5.10.0" cache-version="5.10.0"></script></body>
</html>
-                       [ <=>                ]   2.88K  --.-KB/s    in 0s      

2026-03-18 17:59:16 (16.9 MB/s) - written to stdout [2945]

Expected behavoir

The output should contain:

...
Location: /passbolt/auth/login?redirect=%2F
...

Without the /passbolt in the redirect, this setup can not be used in a (proxy) environment, where the “real” url is https://example.com/passbolt is proxied to the container.

Might be connected to https://community.passbolt.com/t/passbolt-install-in-a-subfolder/2885/5 , since the changes proposed there are not in the docker image (and in the code in the issue the subfolder is hardcoded)

antony · March 19, 2026, 7:28am

Hello @martinkoehler, welcome to the forum

When you are using subdirectory, the APP_FULL_BASE_URL should not reflect it as shown in the exemple there. It’s also a repository example that I made few years ago, this might help.

Best regards,

martinkoehler · March 20, 2026, 7:02am

Thank you very much for the fast and helpful reply. Indeed with

`APP_FULL_BASE_URL: "https://passbolt.intern`

the output is as expected and my instance is now running fine behind a reverse proxy in a subfolder, e.g.
`https://www.example.com/passbolt\`.