J05u 5 Posted January 20 Share Posted January 20 Hello, i have very weird issue with Bitwarden via my subdomain When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong? Quote Link to post
blaine07 25 Posted January 20 Share Posted January 20 Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or? Quote Link to post
Roxedus 61 Posted January 20 Author Share Posted January 20 8 hours ago, J05u said: Hello, i have very weird issue with Bitwarden via my subdomain When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong? Are you using the sample in swag? Quote Link to post
J05u 5 Posted January 20 Share Posted January 20 1 minute ago, Roxedus said: Are you using the sample in swag? Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right Quote Link to post
Roxedus 61 Posted January 20 Author Share Posted January 20 7 hours ago, blaine07 said: Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or? Im not sure how advanced that feature is, like if it follows the html tag for favicon, or just assumes it lives on /favicon.ico, i have those errors too sometimes, and i havent seen anything bad from it. 1 Quote Link to post
Roxedus 61 Posted January 20 Author Share Posted January 20 3 minutes ago, J05u said: Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right And you are sure your app i set to connect to the subdomain? Quote Link to post
J05u 5 Posted January 20 Share Posted January 20 2 minutes ago, Roxedus said: And you are sure your app i set to connect to the subdomain? yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working Quote Link to post
Roxedus 61 Posted January 20 Author Share Posted January 20 Just now, J05u said: yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working This just enforces my suspicion of the app using a ip or something Quote Link to post
J05u 5 Posted January 20 Share Posted January 20 16 minutes ago, Roxedus said: This just enforces my suspicion of the app using a ip or something it the app i just pointed to the domain name. And plus webpage is not opening also Quote Link to post
Roxedus 61 Posted January 20 Author Share Posted January 20 1 minute ago, J05u said: it the app i just pointed to the domain name. And plus webpage is not opening also And just to be sure, other sites on the same domain work? Quote Link to post
J05u 5 Posted January 20 Share Posted January 20 2 minutes ago, Roxedus said: And just to be sure, other sites on the same domain work? yes, sonnar is working fine under same domain. i dont need any vpn, nothing Quote Link to post
Abigel 3 Posted January 25 Share Posted January 25 Hi, why do I not have the Emergency Access option ? Quote Link to post
Roxedus 61 Posted January 25 Author Share Posted January 25 Hi, why do I not have the Emergency Access option ? It is not implemented in this version. Quote Link to post
blaine07 25 Posted January 29 Share Posted January 29 On 1/25/2021 at 8:06 AM, Roxedus said: It is not implemented in this version. Any idea when this will be updated to include their new features and such mate? Quote Link to post
Roxedus 61 Posted January 29 Author Share Posted January 29 21 minutes ago, blaine07 said: Any idea when this will be updated to include their new features and such mate? Follow the bitwarden_rs project. As stated in the post, i do not create these applications. Quote Link to post
blaine07 25 Posted January 29 Share Posted January 29 Just now, Roxedus said: Follow the bitwarden_rs project. As stated in the post, i do not create these applications. I probably knew that; sigh. Thank you LOL Quote Link to post
tmor2 3 Posted January 30 Share Posted January 30 On 12/18/2020 at 11:49 PM, tmor2 said: Problem with ATTACHMENTS! I have BW with Letsencrypt. Everything works fine except attachments. When I attach a document (e.g an image to Identity), then try to open it I get following errors: (1) On iPhone/iPad: "Unable to download File" (2) On Mac (with BW being standalone app): the spinning wheel appears (as if trying to download a document) - spinning wheel stays for hours. No error message. When I go to UNRAID->appdata (share) - I can clearly see that the images I uploaded are stored in separate directory and hashed. Someone raised similar issue on Github here and here, but I don't know how to apply solution on UNRAID with letsencrypt Any help? Solved. Problem was in appdata/bitwarden/config.json file. Second line should have started with "https" and not "http",. Quote Link to post
s449 0 Posted January 30 Share Posted January 30 I got this set up through SWAG for a reverse proxy. All my other containers I run through them work fine and are secure (https). But this one wasn't. Firefox alerted me it wasn't secure. Is there any way to make it secure? I used the CONF sample file from SWAG and tried tweaking the configuration a few ways. Quote Link to post
SimplifyAndAddCoffee 4 Posted February 3 Share Posted February 3 I'm trying to use this with SWAG/nginx and there are 2 problems I'm having trouble solving: 1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. ## Version 2020/12/09 # make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url # make sure your bitwarden container is named "bitwarden" # set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container server { listen 443 ssl; listen [::]:443 ssl; server_name bitwarden.*; include /config/nginx/ssl.conf; client_max_body_size 128M; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app bitwardenrs; set $upstream_port 8086; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location /admin { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app bitwardenrs; set $upstream_port 8086; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location /notifications/hub { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app bitwardenrs; set $upstream_port 3012; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location /notifications/hub/negotiate { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app bitwardenrs; set $upstream_port 8086; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } } 2. I don't want bitwarden exposed to the internet, despite the fact I am also using the reverse proxy to handle internet traffic to other dockers. Is there any way to configure this so that BitwardenRS gets SSL on the LAN but can't be reached from the WAN? Quote Link to post
Roxedus 61 Posted February 3 Author Share Posted February 3 2 hours ago, SimplifyAndAddCoffee said: 1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086? 2 hours ago, SimplifyAndAddCoffee said: 2. I don't want bitwarden exposed to the internet There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server? If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. Quote Link to post
SimplifyAndAddCoffee 4 Posted February 3 Share Posted February 3 (edited) On 2/3/2021 at 2:43 AM, Roxedus said: Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086? Yes, and I can reach it locally using http://server:8086 Quote There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server? If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. I am using http validation, but I could theoretically change that if I have to. My local DNS is managed at the router. For configuring nginx, would that be done in the subdomain.subdomain.conf file? or is there a way to manage specific upstream hosts elsewhere in nginx? Any information on how to do that would be helpful, since I'm new to nginx (and docker in general). EDIT: I got it sorted. Didn't realize the container and app used different ports. Edited February 4 by SimplifyAndAddCoffee 1 Quote Link to post
Roxedus 61 Posted February 4 Author Share Posted February 4 3 hours ago, foR said: unable to open database file sounds like the database is missing, corrupted or set to read-only Quote Link to post
Miidnight 0 Posted February 7 Share Posted February 7 (edited) Hi everybody, Did anyone already try to setup a full local selfhosted bitwarden (without any Let's Encrypt) and make it working with Android ? I have bitwarde docker running on my Unraid, reachable on all web browser through https://tower:18443/bitwarden (including Web browsers on my phone) thanks to a self signed certificate with self CA. The only thing I can't have working is the bitwarden Android App which throw me a "Trust anchor for certification path not found" error even though i've imported the CA certificate. Here is how I generate my stuff : # >>>>> CA Key openssl genrsa -des3 -out towerrootCA.key 4096 # >>>>> CA Cert openssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt # >>>>> Server Key openssl genrsa -out tower.key 2048 # >>>>> Server csr openssl req -new -sha256 -key tower.key -subj "/C=FR/ST=FR/O=MyNas/CN=tower" -extensions v3_req -out tower.csr # >>>>> Server cert openssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file cat tower.crt towerrootCA.crt > finalcertif.crt With my config.file : [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = FR ST = FR L = Local O = MyNas OU = MyNas CN = tower [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:TRUE, pathlen:3 keyUsage = critical, cRLSign, keyCertSign nsCertType = sslCA, emailCA [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = u/alt_names [alt_names] DNS.1 = tower DNS.2 = tower.local DNS.3 = tower:18443 Thank you for help, have a good day, Edited February 7 by Miidnight Quote Link to post
spants 25 Posted February 8 Share Posted February 8 For folks that want to protect the /admin page from being accessed from outside of the internal network when using SWAG, I think this is a better way..... Note 192.168.1.0 is the LAN network and 10.0.10.0 is a VPN network attaching remotely location /admin { allow 192.168.1.0/24; allow 10.0.10.0/24; deny all; # enable the next two lines for http auth # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; proxy_pass http://bitwarden; } Quote Link to post
jonathanm 1211 Posted February 8 Share Posted February 8 4 minutes ago, spants said: I think this is a better way.. Why? I currently am using the method recommended with the post at the top of every page, but if you convince me, I'll switch the recommendation, or recommend both posts. I haven't taken the time to look at the differences, so don't be offended, I'm genuinely curious, just not curious enough to do the work myself. 🙂 Quote Link to post
301 posts in this topic Last Reply
Recommended Posts
Posted by Roxedus,
This is highly recommended to help keep your passwords secure.
Recommended by jonathanm
10 reactions
Go to this post
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.