[support] Vaultwarden (formerly Bitwarden_rs)


Recommended Posts

8 hours ago, J05u said:

Hello, i have very weird issue with Bitwarden via my subdomain

When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong?

Are you using the sample in swag?

Link to comment
7 hours ago, blaine07 said:

Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or?

 

 

5F82FAD2-C040-4135-BECE-0FA3C4B07DB7.jpeg

Im not sure how advanced that feature is, like if it follows the html tag for favicon, or just assumes it lives on /favicon.ico, i have those errors too sometimes, and i havent seen anything bad from it. 

  • Like 1
Link to comment
2 minutes ago, Roxedus said:

And you are sure your app i set to connect to the subdomain?

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

Link to comment
Just now, J05u said:

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

This just enforces my suspicion of the app using a ip or something

Link to comment
On 12/18/2020 at 11:49 PM, tmor2 said:

Problem with ATTACHMENTS!

 

I have BW with Letsencrypt. Everything works fine except attachments.

 

When I attach a document (e.g an image to Identity), then try to open it I get following errors:

(1) On iPhone/iPad: "Unable to download File"

(2) On Mac (with BW being standalone app): the spinning wheel appears (as if trying to download a document) - spinning wheel stays for hours. No error message.

 

When I go to UNRAID->appdata (share) - I can clearly see that the images I uploaded are stored in separate directory and hashed.

 

Someone raised similar issue on Github here and here,  but I don't know how to apply solution on UNRAID with letsencrypt

 

Any help?

 

Solved.

 

Problem was in appdata/bitwarden/config.json file.

Second line should have started with "https" and not "http",.

Link to comment

I got this set up through SWAG for a reverse proxy. All my other containers I run through them work fine and are secure (https). But this one wasn't. Firefox alerted me it wasn't secure. Is there any way to make it secure? I used the CONF sample file from SWAG and tried tweaking the configuration a few ways.

Link to comment

I'm trying to use this with SWAG/nginx and there are 2 problems I'm having trouble solving:

 

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

2. I don't want bitwarden exposed to the internet, despite the fact I am also using the reverse proxy to handle internet traffic to other dockers. Is there any way to configure this so that BitwardenRS gets SSL on the LAN but can't be reached from the WAN?

Link to comment
2 hours ago, SimplifyAndAddCoffee said:

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 


 

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?
 

 

2 hours ago, SimplifyAndAddCoffee said:

2. I don't want bitwarden exposed to the internet

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

Link to comment
On 2/3/2021 at 2:43 AM, Roxedus said:

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?

Yes, and I can reach it locally using http://server:8086

Quote

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

I am using http validation, but I could theoretically change that if I have to. My local DNS is managed at the router.

 

For configuring nginx, would that be done in the subdomain.subdomain.conf file? or is there a way to manage specific upstream hosts elsewhere in nginx? Any information on how to do that would be helpful, since I'm new to nginx (and docker in general).

 

EDIT: I got it sorted. Didn't realize the container and app used different ports.

Edited by SimplifyAndAddCoffee
  • Haha 1
Link to comment

Hi everybody,

Did anyone already try to setup a full local selfhosted bitwarden (without any Let's Encrypt) and make it working with Android ?

 

I have bitwarde docker running on my Unraid, reachable on all web browser through https://tower:18443/bitwarden (including Web browsers on my phone) thanks to a self signed certificate with self CA. The only thing I can't have working is the bitwarden Android App which throw me a "Trust anchor for certification path not found" error even though i've imported the CA certificate.

 

Here is how I generate my stuff :

# >>>>> CA Key
openssl genrsa -des3 -out towerrootCA.key 4096
# >>>>> CA Cert
openssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt

# >>>>> Server Key
openssl genrsa -out tower.key 2048
# >>>>> Server csr
openssl req -new -sha256 -key tower.key -subj "/C=FR/ST=FR/O=MyNas/CN=tower" -extensions v3_req -out tower.csr

# >>>>> Server cert
openssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file cat tower.crt towerrootCA.crt > finalcertif.crt

 

With my config.file :

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = FR
L = Local
O = MyNas
OU = MyNas
CN = tower

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = u/alt_names

[alt_names]
DNS.1 = tower
DNS.2 = tower.local
DNS.3 = tower:18443

 

Thank you for help, have a good day,

Edited by Miidnight
Link to comment

For folks that want to protect the /admin page from being accessed from outside of the internal network when using SWAG, I think this is a better way.....

 

Note 192.168.1.0 is the LAN network and 10.0.10.0 is a VPN network attaching remotely

 

  location /admin {
    allow 192.168.1.0/24; 
    allow 10.0.10.0/24;
    deny all;
    # enable the next two lines for http auth
    # auth_basic "Restricted";
    # auth_basic_user_file /config/nginx/.htpasswd;
    proxy_pass http://bitwarden;   
  }

 

Link to comment
4 minutes ago, spants said:

I think this is a better way..

Why? I currently am using the method recommended with the post at the top of every page, but if you convince me, I'll switch the recommendation, or recommend both posts.

 

I haven't taken the time to look at the differences, so don't be offended, I'm genuinely curious, just not curious enough to do the work myself. 🙂

 

Link to comment
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.